When we discussed our approach to security with our marketing team and whether we’d create a “pillar” on the website discussing our security offerings, the idea was killed quickly. After all, we’re not a “security company”, per se, as it’s not something we do in the absence of everything else we do. In other words, our keystone practice surrounds Citrix technologies, and when our services teams implement Citrix technology, they do so with security top of mind… not as an afterthought, not as an add-on, but during each phase of every engagement.
Why? Businesses expect security; we expect security audits. If public cloud providers, such as Microsoft, believed businesses did not expect/demand/need security, would Microsoft expect organizations to invest in Azure? Doubtful.
As a matter of fact, Microsoft continues to invest more than $1 billion USD per year on cyber security research and development efforts and, as Microsoft’s vice-president of security, Bharat Shah, told Reuter’s in 2017, “as more and more people use cloud, that spending has to go up.”
Think of it this way: As businesses consume more cloud, the more investments cloud providers can make to improve protection measures. In other words, a portion of your cloud consumption costs (i.e. a percentage of virtual machine runtime) is attributable to security and protection costs (more so if native cloud protection features are enabled, such as geo redundancy).
Public clouds also provide many conduits into their environments – and by many, we mean many, not the typical two, perhaps three, conduits businesses may have in private cloud. The diversity of access remains a transparent capability of public cloud, where one link could conceivably be saturated through some denial of service attack, yet you and your users would hardly feel any impact.
The list is endless… machine learning, artificial intelligence and automation are all native feature sets available as a consumable service in public cloud. Better yet, these services are easily enabled through a series of “clicks” and “check boxes”, or other simple integrations, to speed time to value in heightening security postures within public cloud. Comparatively, doing likewise in private cloud is cumbersome and costly (albeit still a necessity, just perhaps not as automated).
Nonetheless, security becomes a shared responsibility in public cloud among the provider and the consumer (business) and where transparency is critical to ongoing success. Microsoft’s Trust Center provides a wealth of information surrounding the four pillars of their Trusted Cloud initiative – Security; Privacy and Control; Compliance; and Transparency.
And, rather than regurgitating all the pertinent details, Arpan Shah, GM of Microsoft Azure, released an excellent blog post on the 3 ways Azure improves your security with these key takeaways:
- $1 billion USD investment per year into cyber security;
- 3,500 dedicated cybersecurity professionals;
- Hundreds of data centers in 50 regions with multi-layer protection against physical access.
And that’s not even touching the service capabilities to protect the information and workloads businesses place in Azure. To illustrate one such functionality, a story is in order…
If you’ve not yet experienced “CEO Fraud” or “Business Email Compromise”, you will one day. To sum it up succinctly, this type of attack is where a legitimate e-mail address, usually belonging to the CEO of a business, is spoofed to fool internal employees into leaking sensitive information or, worse, siphoning money from the business through a wire transfer, or similar.
In most cases, accounts are never compromised, and these cybercriminals use crafty methods of making their external e-mail addresses appear as if they originated internally. In other cases, accounts are compromised, and attacks take on a deeper level of sophistication and harm.
In a recent case, it was clear that an individual close to the CEO was considered high-value for information and was targeted. Without sufficient security controls, specifically surrounding password lifecycle management, the target’s account was compromised. Unfortunately, while the business had gone to great lengths to enforce two-factor authentication across their private cloud services, they neglected to apply and enforce two-factor on certain public cloud services. As a result, the account was compromised through a public cloud service and went unnoticed for nearly two weeks. Fortunately, the information that was siphoned through the public cloud service was public knowledge; however, the organization wished to minimize these threats in the future.
Accordingly, we recommended further investment in Microsoft Azure Active Directory, Identity Protection, and integrated with their existing multi-factor authentication to extend additional security requirements to public cloud services. Also, with Identity Protection, we were able to provide automation against unwanted, unexpected, or undesirable access across many services that would block authentication, lock accounts, and force password resets in the event any anomalies were detected.
It may sound complex and time consuming but the capability of both multi-factor and authentication automation and protection was implemented within hours of the breach detection. In this case, time to value of public cloud capability is an understatement.
Full disclosure… we believe Microsoft Azure is the market leader in public cloud services.
Next week, we’ll get back to the Good and Bad of “cloud”.