How can the industry address cybersecurity concerns of cloud systems?

The proliferation of the Internet of Things (IoT), connected devices, and the rush to embrace digital transformation have resulted in high demand for cloud services. Nevertheless, organisations looking to deploy cloud technologies want to be assured those services are built with stringent data protections. Every component, connection, and data flow must ensure that cybersecurity protocols are in place to protect sensitive data while maintaining an optimal user experience. Look for vendors who lead with a security-first strategy, work with proven cloud providers like Google, and have specific certifications like SOC 2 Type II, which ensures your data is securely managed. These are the partners that will go above and beyond to achieve high levels of cybersecurity compliance and guarantee your information stays safe.

Cybersecurity is certainly one of the first questions and major concerns of end users and systems integrators when discussing the cloud. It should also be a natural part of the planning for a system that includes one or several cloud components. The general misconception is that cloud systems are not as secure as traditional on-premise systems, but cloud systems are actually easier to keep up to date on software and firmware, ensuring the latest security patches and updates are implemented. This is because cloud providers perform these updates in-house and relieve the maintenance burden that would normally fall to an end user or integrator’s IT department.

To begin with, the concept of cloud-based security systems took a while to gain broad acceptance, with some commentators worried about the cybersecurity aspect. Now that cloud hosting is commonplace across many sectors (including financial services, for example) it has a much broader acceptance across the board. However, the security industry must never be complacent! The most important thing we need to do and show to prospective and active users of cloud-based services is that their data is completely secure. Firewalls at the on-premise end of the network are crucial in this regard, as is ensuring that any data transmitted is properly encrypted. Clients need to have the confidence that they can wholly trust their cloud provider with their data. It only takes one incident to shatter confidence, so it is vital that cloud-based services maintain fully watertight protection.

There are a few different categories of cybersecurity issues regarding cloud-based systems. Typically, this has little to do with encryption of data in transit or at rest. More often, the issues arise from control/management of access credentials, configuration, insiders, APIs, visibility and control of cloud operations, and other sources. Addressing these cybersecurity concerns is no different for the video surveillance and physical security market as it is for other markets. Much of it comes down to proper management and process/operations, visibility, training, tools, and talent. There is no silver bullet or shortcut; it is important for this industry to take cybersecurity seriously and be prepared to make a continuous, ongoing investment in this area.

Our industry tends to assume that everyone understands how cloud-based systems work, but many lack a basic understanding and working knowledge of the cloud. It’s this lack of education that is at the root of concerns, whether they be about data privacy or cybersecurity. For example, I don't think a lot of people understand that when you deploy a cloud environment, you pick where your data is going to be stored and if you don’t secure it properly, it’s going to be publicly accessible. And while data privacy is a central issue, it’s also critical to consider how cloud workflows might impact your security compliance. Are you HIPAA, PCIDSS, ISO, or CJIS compliant with your on-premises system? It’s incorrect to assume that any cloud-deployment model will automatically be compliant as well. It’s paramount that end-users and systems integrators are aware of who has access, and who is responsible for configuring cybersecurity parameters.

The technology industry should begin to adopt artificial intelligence and machine learning tools in order to address some of the current and future concerns involved with the public cloud. For example, it can create virtual firewalls that learn and adapt to changing patterns of traffic and activity or make it easier for humans to analyse and interpret that data more effectively, as well as identify or track down the source of attacks. Additionally, AI can be used to create systems that can automatically patch vulnerabilities and respond to attacks in real-time.

To effectively secure cloud-based systems, the industry must shift to a ‘zero trust’ mindset when establishing and maintaining networks and architectures. The main idea of a zero-trust network is that no entity connecting to and within the network can be trusted, and it employs techniques including network micro-segmentation and granular network perimeter security to determine whether an individual's credentials are authorised. Giving users access only to the networks they need provides obvious security benefits, and being able to track deviations in the actions associated with individual roles further ensures network protection. Additionally, sometimes people put things in the cloud and expect everything to be automatically secured, but they must take action to ensure proper security. In doing this, cybersecurity departments should pay close attention and certify that their policies and cybersecurity controls are applied correctly across all the cloud providers they are using, as each provider contains similar–yet distinct–controls.

From a security perspective, moving to the cloud means sharing information security responsibilities with the provider. Typically, tier-one cloud providers have implemented far more stringent security measures for their infrastructures than most independent organisations could ever afford to do on their own. Tier-one providers offer the highest levels of physical security for their data centers since they have to comply with regulations such as SOC 2, ISO 27001, HiPAA, and PCI. SaaS providers also implement mechanisms that help businesses quickly identify and manage risks. From encrypted communications and granular privacy controls to strong user authentications and system health monitoring tools, cloud-based solutions come with very robust cybersecurity and privacy features. Connectivity can bring some risks but it also comes with inherent advantages. Cloud service providers must do their part to ensure that the right security mechanisms are in place, such as vulnerability management and updates, system hardening, DDOS protection, encrypted communications, data protection capabilities, strong user authentication and password protection.

A recent cloud security report showed that 66% of survey respondents believe that traditional security solutions either do not work or have limited functionality in the cloud. Given how the growing threat landscape jeopardises the benefits of greater cloud adoption, here are four key points to consider:

• Consult with a trusted cloud security advisor to benefit from industry best practices and build cloud security into the design.
• Use consolidated threat-prevention cloud tools. Cloud security is much more complex than traditional on-premises security because instead of one perimeter (the network link connecting your company to the internet), you now have multiple perimeters.
• Centralise visibility, which is particularly important in cloud security because you can’t secure what you can’t see.
• Perform regular risk management exercises for every possible and impossible cloud security solution.

For example, with the security configurations like encryption and key management embedded in AWS (Amazon Web Service), Secu365 by Anviz implements protection throughout the process from data transmission to storage and moves traditional security practices from reactive to proactive and preventative.