Combating Cloud-Based Cyber Attacks

Alberto Rey García, Global Head of Cybersecurity Operations, BBVA

Alberto Rey García, Global Head of Cybersecurity Operations, BBVA

The latest developments in the technology services industry, along with a generalized trend of companies to move their investments plans from CAPEX to OPEX, have made a big number of our organizations migrate their infrastructure, platforms, and software solutions to the cloud at a pace never known before, and execute their migration plans in an environment of constant urgency driven by innovation and cost control.

This is relevant for companies of all sizes alike (to take my own example, BBVA’s cloud infrastructure currently accounts for 40 percent of our total assets with public cloud environments representing over a 20 percent), but it’s even more impactful for smaller companies, who many times are willing to get themselves rid from the complexity associated with managing this new set of assets, and many time lack the ability or the resources to invest in appropriate capacitation.

That’s the environment, and it does not only affect business solutions but also cybersecurity ones. CERT teams all over the world find themselves protecting on-premise assets from the cloud or the other way round while trying to make sure the phenomenally big amounts of data they need to do so are moved and kept in a secure manner, but that’s only the lesser part of the challenge.

The larger chunk of our problems is neither the set of technologies at our disposal (nowadays mostly cloud native from the log generation to its submission, storage, and analysis) nor our teams (who are absolutely in line with that reality too), so what’s the real issue with cloud-based attacks then?

Think about it for a minute: How many security incidents have you heard about which truly affected a CSP beyond the instance of some of their customers? The answer is probably you’ve heard about very very very few, and rightfully so.

“It's paramount to make sure that the knowledge of your security and IT teams is not only great for your traditional architecture, but also up to date when it comes to understanding the features available at the cloud service provider of your choice.”

What usually happens is that firms running their workloads in the cloud suffer cybersecurity incidents derived from attacks that rarely affect any other customer of their CSP through the same vector. These attacks normally originate from outside their perimeter rather than a security problem somewhere else at their supplier’s network, and many times they leverage misconfiguration problems on the assets the customer is directly responsible for. 

One can’t help wondering how that can be the case, especially considering that cyber security teams tend to be among the highest skilled of the IT industry, and therefore able to execute a full and comprehensive hardening of any asset. In my experience, the recipe to avoid this situation is based on two basic aspects that are easy to overlook: Assessing the need for a thorough reskilling exercise before jumping to the cloud.  It's paramount to make sure that the knowledge of your security and IT teams is not only great for your traditional architecture, but also up to date when it comes to understanding the features available at the cloud service provider of your choice.

Adhering to your partner indications in terms of security, and a governance model that lacks the ability to guarantee that the cyber security team is not only aware but has a say on each and every deployment in the cloud your organization decides to perform.

At the end of the day, cyber attacks on a cloud-based environment are much like any other from an attacker’s perspective, but can be much different from the defender position if those two elements were not carefully considered. It can be a really limiting factor to the ability of any CERT teams to react with the same speed and effectiveness they would have had had the attack happened against the systems they’ve always known.

We should all be careful with this, design our move to the cloud by truly redefining our architecture rather than applying a lift and shift approach and make sure we leverage the plethora of advanced capabilities these new environments provide from time zero, thus sparing a good amount of sterile trial and error effort.

Weekly Brief

Read Also

Deliver Resiliency with Managed Services

Deliver Resiliency with Managed Services

Edy Salim, Head of Technology Services & Enterprise Architecture, PT Adira Dinamika Multifinance Tbk
Improve Diversity and Cybersecurity Hiring in One Fell Swoop

Improve Diversity and Cybersecurity Hiring in One Fell Swoop

Michael Carr, JD, CISSP, CCSP, CIPP/US/E Adjunct Faculty, Cincinnati State and Andrew Opare, Security+, Ohio Army National Guard
Businesses at Risk: Survey Exposes Gaps in Crisis Readiness among UK Firms

Businesses at Risk: Survey Exposes Gaps in Crisis Readiness among...

Jim Steven, Head of Crisis & Data Breach Response Services, Experian Consumer Services
Ingredients for Success in Transformation

Ingredients for Success in Transformation

Eric Martin, Vice President, Information Technology and Digitization, Groupe Deschenes
Implementing an Identity and Access Management Program

Implementing an Identity and Access Management Program

Devan N. D’Silva, Manager, Identity and Access Management, Vice President, Baird
The Hidden Risks of Work From Anywhere

The Hidden Risks of Work From Anywhere

Joshua Brown, VP and Global CISO at H&R Block