Cyber-security professionals remain markedly sceptical about cloud services despite the growing pressure in organisations large and small to use them.
In a panel discussion at EuroCACS 2015, being held in Copenhagen and organised by ISACA, delegates were asked to answer questions in an interactive poll live during the session.
Asked if their organisations were using public cloud for production work, 61 percent of the audience answered no, a response that puzzled and even worried some panellists.
Rob Clyde said the response worried him because in his experience cloud-based software as a service (SaaS) had proved invaluable to his organisation. Keeping services such as CRM databases running in-house had required the full-time attention of at least one IT person.
Christos Dimitriadis, recently elected global president of ISACA, admitted that there could be a security case against cloud but said he ultimately favoured it because the cloud is in fact more secure than in-house servers.
“For security, you need a business case because being trendy is not enough,” he said. “It's vital to ensure you ask the right questions of the service providers. When do I get informed of a breach? Where is the data stored? You have to have a framework to ask these questions.
“But after doing the service analysis, many enterprises will realise that their security is weaker and more expensive than the service providers.”
One delegate asked the panel at this point whether it made sense to use a hybrid approach, keeping some data and processing local and outsourcing some to the cloud.
This was an idea that was rejected by Eddie Schwartz who said that his organisation, which tracks advertising fraud on the internet, processes billions of transactions each day and the cloud enables it to scale its data analytics capabilities up and down as required.
At the other end of the scale was Ben Hammersley, a futurologist and author, who said the cloud enables him to build and shut down teams of people for various projects quickly and efficiently. “When you are talking about lightweight teams and computationally light workloads such as word processing and spreadsheets, the cloud makes it infinitely easier than it was before,” he said.
As to the security of his data in cloud applications, he replied: “If someone really wants to spend the time and money to find that data and use it to my disadvantage, then I would like to shake his hand for figuring out a use for this information that I hadn't been able to find.”
Hammersley added: “Much of the fear about this is movie plot stuff. If someone reads my mail of three years ago, what will happen? F*** all.”
Another question for the audience was when was your last cyber-attack and/or breach?
The responses were overwhelmingly on the side of more recently, with 54 percent saying they had been breached in past six months and within the last 60 days the figure was 40 percent.
The panellists were, first of all, surprised by the honesty of the audience. Rob Stroud, former global president of ISACA and the chair of the panel discussion, said that when he asked that question four to five years ago, 80 percent of respondents had said “never”. Today the figure was only 16 percent.
Of course, one of the questions that emerges when you pose these sorts of polls is what comprises a “cyber-attack”? Schwartz said it should be more than just a port scan and that to constitute an attack it should involve some action designed to gain entry to your system.
Part of the discussion centred on the words and metaphors that we use to talk about cyber-security. Hammersley reiterated a point he made in his morning keynote speech that talking about “penetration” and “compromise” and other metaphors for physical assault shifted attention away from the methods for securing your IT resources that was more akin to public health.
“I think the metaphor is wrong – it should be about public hygiene,” he said.
It was a point picked up by Schwartz who said that the audit community should pay attention to this idea because traditionally they have asked for statistics on hit on the firewall and so on. “As threats go up, we become increasingly worried but the figures are meaningless. What are the assets? How many attacks are being launched against those assets?”
Christos Dimitriadis concluded by arguing that cyber-security professionals were in an ideal position to help bridge the gap between hard-core IT security and consumers and business users. “The present challenge for the CISO profession is to transform IT to help the business reach its potential,” he said.
Rob Clyde said that the perimeter is fast disappearing and “in most cases is already dead”.
“It's tough for us long-time security guys but I would encourage you to see the world as it is, not as it was,” he said.
He also noted that the people with the most power in today's tech-enabled organisations is the system admins. “Do you know the people in your organisation who have the power to take down or disrupt your organisation? Not that we don't trust them but who are they?” The bad guys are targeting the admins because of their power and everyone makes mistakes, he added.
ISACA will publish the results of its snapshot survey in a future report, Rob Stroud said.