VIDEO TRANSCRIPT
The very first question that i've got is um what do you see as being the most impactful security concerns in the cloud in 2021 and what advice would you give to mitigate them and greg we're going to start with you
Yeah brilliant thank you gentlemen um you know i'm going to start with i think was probably the obvious and we did some research our unit 42 team shared about a quarter ago which was over half of their cloud security breaches are a failure of just simple security hygiene um so you know good password management the right access controls uh patch management all those things that we've spent years doing very well in our own physical estate uh you know we're learning still i think how to do that well in the cloud uh and you know there's a lot of complexity to that we see typically organizations may be using three four five even ten different sas applications uh you know often using more than one different global cloud provider um so i think you know the number one challenge here is how do we achieve the same baseline of cyber security that we've been used to in our own estates and how do we deliver that consistently across a ever more diverse environment and i think i'll just leave a final thought before i pass it on to to my my peers here which is um we always very much start to focus on uh you know http and purely kind of application control but we also have to remember now that all of our workforce are working from home or different places so it's not purely just about the applications it's about all of the other things that are involved we found over 50 and some research were published shortly all of those breaches occurred still through simple things like smb protocols where we've not shored up well enough the connection between somebody's at home and now all of these collaboration tools or other applications they're using in the cloud
All right excellent so richard you're next
Yes so uh i'm gonna tailor it to the poll so i think the first poll showed that's at sas as the lead and that makes sense because everybody's been doing that over the last three or four years and we've been learning to do that yes i kind of think that's the first phase i think one of the challenges as people mature is that they've been using really infrastructure and platform as a service and they've been drawing that and they've usually been doing it in the sense of just an extension of your data center to not really opening up services through a dmc or internet facing applications so like you know hosting your own sas applications in your own points of presence around the globe if you're a global organization so i think that that dmz is going to be challenged because the cost of it but the controls need to be migrated but then underneath that as we've been maturing there's another phase coming to the sas because you've got some organizations that are purely based in in the cloud is what they're finding now is there's a lack of governance between sas to sas so what you find is that again with remote working people jumping on teams people wanting to do enterprise solutions such as box or salesforce what you actually find is that these products are actually platforms for integration of third parties so you know teams underneath it is an umbrella platform to put all these different sas providers in linking them together and there's a real lack of governance there and while you can posture cloud providers posturing your relationships requires a deep understanding between these platforms like box or salesforce or teams and so suddenly you open up a sas provider and you go through your internal governance process to go to that sas provider and then suddenly people start turning on functionality you can think of this as a bit like chrome and all the extensions inside of it so this is a real problem so we need uh tools in this place and they are coming on the market to understand the deep relationship between say a sas one provider and sas two or sus two or sas one and it can then posture these deep relationships so that you have governance around what's actually going on as to what people can do in these environments tied to that is this new generation of identity provider that's trying to govern this relationship so people really need to start thinking about what they're doing for their next generation of identity provider normally people have got that internally and we have sso or single sign-on into a cloud provider but it's not really optimized so you have to think about that and when you start looking at the identity provider it starts leading you down a path ultimately to things called zero trust and zero trust is going to be a hot topic as it comes up in 2021 and all that does is just switch switches the paradigm around where instead of giving access to the system or endpoint and then being challenged for authentication your your challenge for authentication first and then given access and you're going to find more of that and that's what for me is where it leads to ultimately so we're on the path to that and what's going to bring it out is the fact that we need to cover this phase two of building these ecosystems that go sas to sas and put the governance in place that's going to bring out the question of identity and then that's when we look at remote working that's going to be putting in this these other controls that we need
Brilliant okay thank you thank you richard lee over to you
Okay um i'd like to build i guess on what greg said the configuration of the cloud platforms and it was seeing a lot of misconfiguration or and those sorts of things obviously what's happened in the last year there's been a rapid adoption in cloud technologies people have moved their infrastructure to the cloud to enable remote working a lot better to work better and as part of that a lot of that configuration probably hasn't been done correctly um so we'll see more security breaches due to that cloud environment um being misconfigured you know the stuff that's been talked about in the past but open storage containers access to databases and those sorts of things so it's making sure that where people have moved to the cloud over the last year to enable remote working and more flexible workforces we look at that and understand how it's been configured and it's tied down so as richard was talking about a lot of tools out there which enabled a lot of this so making sure you've got the right tools to analyze how your cloud environments are set up um to in and to ensure that they're tied down and then monitored to make sure that there are no no or as minimal security breaches as possible in those environments