The report concerning Microsoft Azure’s Cosmos DB database should be an IT security wake-up call to the tech giants and other organizations, especially those moving more and more toward cloud services. In addition, as office reopenings are being halted due to the ongoing pandemic, more and more emphasis must be placed on keeping organizations secure, especially while their employees continue to work remotely.
Human Error Remains Cybersecurity’s Biggest Obstacle
Microsoft products and services are designed, managed and maintained by people — just like any other IT service. And people make mistakes, especially in the highly complex world of IT security. This is the reason why all organizations must not assume that the IT security measures they’ve established are 100% guaranteed to keep cybercriminals out.
There are very clever, crafty people out there who spend many hours working out ways to attack corporate networks in ways that no one else considered. The ‘good guys,’ or ethical hackers, do this for a living with rewards such as ‘bug bounties’ that big tech companies payout for information about security flaws. But there are many more ‘bad guys’ than good guys out there, and the rewards are often much more significant while the chances of getting caught remain very slim.
IT Security Is Paramount
Big tech must continue to invest heavily in IT security. This is just a commercial decision since even the best IT services will lose more and more business if security breaches keep occurring. The combination of highly effective news dissemination together with cybercriminals who use publicity in various forms to put pressure on organizations means that hushing up IT security incidents is definitely the wrong thing to do.
All Parties Must Defend Their Data
It’s not just the big tech organizations that are on the hook for IT security. Since not even they can prevent all cyber-attacks and breaches, their customers must share some of the responsibility for keeping their data and systems secure.
Many cloud services provide shared security models, but these should also be carefully examined. Even though there is shared responsibility, the cloud provider is still the single entity managing the security measures. And a single entity is a single weak point, prone to cyber-attacks.
Organizations Need to Have Some Control
In the Microsoft Cosmos DB case, the customer generates the security keys managed and stored within the Microsoft service. The discovery that this was not protected meant that this ‘shared’ security model still failed at the single point of control.
Organizations must therefore take at least some control over IT security, using tools over which they have control rather than a single external supplier. The ‘endpoint’ is perhaps the most obvious example here. Most organizations that embrace cloud services continue to provide their staff with PCs — and this is the endpoint.
Endpoint Security Is Vital
Many organizations may have well examined the security controls provided by the cloud service but often dismiss the endpoint. However, in many cases, the end-user will save a variety of data locally onto their PC. This is frequently data downloaded from the cloud service for reporting, analysis or just as a more convenient way of processing information — ultimately, not all cloud services allow users to do things exactly the way they find most efficient. It is therefore essential to ensure that endpoints are just as well protected as servers and services.
The bottom line: Big tech must continue to work hard at IT security, using their own in-house expertise and benefiting from third-party security experts who can provide a fresh pair of eyes. In addition, they should encourage their customers to use the built-in shared security functions and use their own IT security tools so that there is no single weak point.
Nigel Thorpe Technical Director, SecureAge | infosecurity magazine
