Cyber-security speaker, writer and entrepreneur Jane Frankland kicked off Cloudsec 2017 today by championing the cause of entrepreneurship freedom and empowerment within the cyber-security industry as the context for discussing the risks and opportunities involved in business going digital.
But first she emphasised the importance of the job that cyber-security practitioners do. This includes protecting society from threats ranging from cyber-terrorists to cyber-criminals, and she called on delegates to imagine the world without us doing our role and the impact that would have on economies – demonstrating that it is an extremely serious role. “We secure the world's operations. Our role is not just to protect business but enable it to evolve,” says Frankland.
While the day as a whole encompassed IOT, cloud, and digital transformation, the first session began by discussing how we balance digital good with digital bad.
Digital transformation presents risks which need to be balanced against opportunities, and on balance there are more benefits to be gained in our daily life and business, Mark Hughes, president, BT Security, told delegates. He went on to explain that while the security environment has changed, particularly use of cloud versus on-premises infrastructure, but some things have not changed, such as understanding threats and translating them to risk. “Previously we were more reliant on perimeters, and that has changed -the loss of the perimeter is fundamentally different and we now need to be more vigilant at every level,” but, he added, “we can also use the cloud to secure cloud services. “
Certainly not one to avoid a straight answer, when moderator Frankland asked Stuart Aston, national security officer Microsoft UK whether cloud was the way to go, and whether it was actually safer his short answer was, “ Yes.” Of course he did go on to elaborate: “When we make investments in the cloud, we do so at a level that most organisations couldn't do alone. We spend £1 billion a year on cyber-security. So the question for people using cloud services is, how do we get assurance that our cloud service provider is doing what we expect them to do? Assuming they do, you can focus on the basics of your infrastructure that you may not have done, and so get better returns as you are more focussed on your business needs than on generic infrastructure. But you don't give up on basic hygiene. Does attacker try to batter down billions of cyber sec investment [in the cloud] or on premise security?”
Ian McCormack, technical director for risk, NCSC joined the discussion to address the issue of responsibility for duty of care in relation to end user's data. His response was unequivocal - those providing services remain accountable for the service, but responsibility for delivering changes and we need to address how do we use that shared responsibility model?
So an incumbent or government service provider remains accountable for how they use assurances from a service provider on behalf of others. Security responsibilities are about process change, as a result, “...security should be driven by business and security need.” The move is away from generic security, to, “where do you need security, what is appropriate for particular cloud services? It is business which must drive its technology focus.
Martin Borrett, chief technical officer, IBM Security, cited the Wimbledon Tennis Open as an example of how adoption of cloud is continuing at pace, on premises, and off premises, becoming more complex and hence needing a holistic view to face the challenge of achieving effective security. He added that codes of conduct go beyond compliance and encompass a set of capabilities, including GDPR and going way beyond to commit to a level of service.
Mieke Kooij, security director, Trainline, answering the question, What more can board do [to enhance cyber-security]? responded, “It depends on the organisation you are in. Ours gets it more than some might and needs to take clients on that journey with us relating to technology and platform. You need to layer on the right security controls for the data you are handling. In a tech company they understand, but for many others the understanding is less so.
“We are selling the ticket, we are not operating the train. We do deals with the rail industry as a whole. They are looking at control systems. We are looking at protecting the data.”
Hughes noted that complexity was always there. “But now we are looking more at downstream risk and supply chain risk, and how you view that risk – but that this is just another risk in the panoply of risk. Consequently organisations need a well defined risk management programme and appropriate controls. There are opportunities to simplify this [using outsourced service providers], but we should not just rush to three or four big providers as successful companies need to know how to handle risk. So there is change, and you still end to end security, but you also still need to maintain flexibility to be ahead of your competition.”
Borrett adds that when using third parties, the suppliers should be transparent about what controls they have, and what are the circumstances under which they can access customer data. While this should be minimised as much as possible with technical and contractual controls, he made the case that there are circumstances, such as meeting legal requirements, where this access is desirable. As to the suggestion everything can be encrypted, he responded, “It depends how the data is stored , how it is used, and how you expect your cloud provider to handle the data. Its important to understand how you use this protection.”
Frankland commented, cloud adoption is not something that's going to happen, it's happening, breaches are happening. Is that something we accept?
McCormack replied, “Yes we should assume breaches will happen. But we should not think that there's nothing we can do. We need to identify, protect, detect, respond. We need protection in each space." He concluded, "Cloud gives certain tools. We need to understand as organisations where our core competence is and for many companies, it's not infrastructure.” But he added that you do need visibility about what is going on with your data, prepare for how you respond to an incident, and have procedures appropriate to the services you provide.