What does cloud-based compliance and security offer manufacturers vs on-premise?
The use of cloud computing by organisations of all sizes continues to grow. Industry analysts Stastista, put the size of the cloud computing market, across multiple platforms (IaaS, SaaS, PaaS and on-premise private cloud) as at least US$336 billion by 2022. Importantly, the recent pandemic has increased awareness of, and interest in, cloud-based solutions.
For manufacturers, cloud-based solutions offer several advantages over on-premises offerings. Better security and an opportunity to align global compliance requirements are just two of them. These come on top of other expected benefits from cloud such as scalability, lower costs and greater resilience.
What are the cybersecurity challenges organisations face?
The cybersecurity challenges for all enterprises continue to grow. They range from attacks against employees to large-scale attacks against infrastructure. All are designed to impact organisations and disrupt how they work.
Attacks against employees include phishing, Trojan's and Business Email Compromise. All are designed to steal user credentials to gain access to data and install malware on the corporate network. There is also an increase in the Insider threat, where employees collaborate with attackers to steal data.
IoT devices are used to monitor manufacturing plants and equipment. Many are insecure or come with limited security. It allows attackers to co-opted them into massive botnets. These are used to flood the Internet and knock out websites.
Software vulnerabilities from applications to operating systems get more numerous year over year. In 2000, there were just 1,020 Common Vulnerabilities and Exposures recorded. By 2018, that had reached a peak of 16,556. An increasing number of these vulnerabilities are complex to remediate and apply to very specific pieces of hardware and software. As operational technology (OT) inside manufacturing plants becomes increasingly exposed to the Internet, equipment is exposed to greater risk. It puts more pressure on IT departments to patch and remediate vulnerabilities. If left unpatched, attackers will seek to exploit them.
There is a global shortage of skilled cybersecurity staff. It has left many organisations struggling to protect their networks against attacks. Even when they do employ people, they can struggle to keep them as competitors offer larger salaries and more attractive environments.
Two key reasons why Cloud is more secure than on-premises
High profile security breaches always create fear. When it comes to breaches of data stored in the cloud, the vast majority break down into two categories; stolen credentials and misconfiguration. Stolen credential attacks are a risk no matter where data is located and are best solved by improved user education, more secure login technology and better access controls.
Misconfiguration is a different issue. The majority of cases are caused by developers and administrators on the client-side changing default settings. This is, therefore, not an issue with cloud providers or the underlying security model of the cloud.
Companies whose applications are delivered using Software as a Service (SaaS) offer multiple levels of additional security over on-premises. The vendor is responsible for patching and updating the applications automatically. This removes the risk of non-patched applications becoming a security risk. In addition, the cloud provider on whose infrastructure they sit, will be responsible for securing that infrastructure.
But is there evidence for cloud being more secure? Over the last three years, there have been numerous surveys conducted by vendors. What they show is increasing trust in the cloud. Last year, Nominet asked CISOs, CTOs and CIOs if the risk of a breach in the cloud was more or less likely than from on-premises systems. 61% said they believed the cloud is safer than on-premises IT. More importantly, 92% of those same respondents said that their business is adopting cloud-based security solutions.
What can cloud-based security deliver?
Cloud-based security solutions can solve many of the issues identified above.
- Cybersecurity skills: Cloud Service Providers (CSP) and Managed Security Services Providers (MSSP) have some of the highest-paid and best-trained people in cybersecurity. They can leverage the experience of those staff and the threat intelligence that they gather to preempt attacks on their customers.
- Multi-platform support: Organisations no longer rely on a single cloud platform such as Infrastructure, Platform or Software as a Service (IaaS, PaaS, SaaS). They use multiple platforms from multiple suppliers, in addition to their on-premises IT environments. CSPs and MSSPs have the tooling and experience to deliver a multi-layered defence across all these environments.
- Controlled access: Employees at CSPs and MSSPs have no direct access to mission-critical data. This reduces the risk of an insider threat. CSPs and MSSPs can also help deploy multi-factor authentication across the entire IT infrastructure.
- Encryption and key management: Cloud environments have evolved to allow customers to bring their encryption keys to the platform. It further reduces any risk from staff working for the CSP and MSSP while giving the customer control over data protection.
- Auditing: CSPs have their environments regularly audited to maintain industry accreditations. It means that there are regular checks to make sure security is effective and up to date.
- Patching and vulnerabilities: The advantage of 'as a Service' is that patching is automated and carried out by the cloud provider. It reduces strain on internal IT departments and ensures that all software is up to date and secure.
The increasingly complex world of compliance
The Internet means organisations are now global. Customers can come from anywhere and dealing with those customers, their orders and their data, means considering the impact of compliance legislation around the globe. Privacy (GDPR, CCPA, OAIC, HIPPA, PCI-DSS), finance (SOX, BASEL, FISMA), eCommerce and data sovereignty legislation impact every organisation selling and buying goods.
Aligning compliance requirements with IT and the business can be challenging. Add in non-owned platforms such as cloud, and for many organisations, it becomes increasingly difficult to get operational alignment.
What compounds the issue with the cloud for many companies is the global reach of compliance. If data is coming from multiple regions, there are overlapping controls on how it is managed and kept. It is where cloud service providers can simplify the process. They can put in the relevant controls to meet data sovereignty. They can also deploy the applications that access the data in the same region as the data. It reduces latency and stops accidental leakage of data.
Many cloud service providers are also compliance-ready. To offer services to customers, they will have ensured that their applications meet the requirements of legislation such as HIPAA, GDPR and PCI-DSS. With the regular audits that are carried out at the cloud service providers , it provides a higher level of assurance that compliance requirements are being met.
You cannot outsource accountability
Organisations often make a mistake when they engage with a cloud partner in thinking that the engagement absolves them of accountability. IT DOES NOT! There is no mechanism in law to pass accountability to a third party. Such a misunderstanding is the fastest way to a damaging fine from a regulator.
What is required is a partnership where the customer fully engages with their chosen cloud partner to ensure that security and compliance controls are correctly implemented. One way to do this is to have a complete set of all the cybersecurity and compliance controls that need to be implemented. However, few organisations have a working list for their on-premises environments. Expecting them to have this when working with a cloud partner is optimistic but should be seen as good governance.
A solution to this comes from the Cloud Security Alliance (CSA). It provides clear guidance for both the cloud industry and its customers on cloud governance, compliance and security. One of its free tools is a Cloud Controls Matrix (CCM). The CCM is a cybersecurity control framework. It uses 133 control objectives over 16 domains. This comprehensive coverage of the cloud helps organisations take their existing security controls and ensure that they are implemented in the cloud.
How does compliance and security change when moving to the cloud?
This blog set out to provide an answer to the question "How do compliance and security change when moving to the cloud?" It has set out common challenges that organisations face and how cloud improves, not weakens, cybersecurity. As importantly, it sets out the need to engage with cloud providers who understand the compliance frameworks that affect your business.
Using a framework such as the CSA CCM will enable organisations to improve security and align their compliance needs effectively with the cloud. It will make the cloud a trusted first-class platform on which to deploy critical systems.
Enterprise Times has created a survey executed by SG Analytics which ask a series of questions that looks at how Manufacturers are looking to transition to cloud technology. The survey is open to European respondents in managerial positions. Responses are anonymous.