What is the impact of the cloud in terms of organisational security?
Cloud introduces new security risk to organisations because publicly exposed APIs are the underlying infrastructure that makes the cloud and cloud applications run. Unlike the http/s view of websites, which is largely choreographed for user experience and constrained on what is exposed or exploitable, APIs are built with fully exposed controls to support orchestration, management and automated access to the environment and applications. APIs provide a rich target for exploitation and introduce another dimension the challenges of expanding boundaries that were not seen in traditional enterprise on-premises perimeters.
Is security in the modern digital world like an open city, as opposed to traditional corporate computing, which is more like a castle?
Attackers will take the path of least resistance, and employees – and IT in many instances – will unwittingly help them. There will always be employees who will fall prey to phishing, surf exploited sites, or use free Wi-Fi from a coffee shop to open the door for the attacker. Also, common infrastructure weaknesses are the ‘exploit of choice’ to land a beachhead within an organisation, such as using an SQL query to find cached credentials, or finding a publicly exposed unpatched server to exploit. And then there is always the fallback to first-initial-plus-last-name with password1234.
How do we stop hackers from taking over the identities of victims in order to gain access to systems? Any real-life examples that demonstrate this?
There is no way to prevent intrusion through exploiting identity. The best that can be done is to slow attackers down by using good identity hygiene: implementing multi factor authentication, using longer pass phrases over passwords, deprecating expired employee accounts and monitoring access logs. However, the industry is making improvements in identity around trust by using multi-context analysis strategies that include time of access, country of origin, host computer in use, and other behavioural analyses to add weight to identity.
At the end of the day, organisations need to put in place robust procedures and make employees accountable for keeping networks safe and secure. The cloud introduces new security risks for organisations that will need to be managed effectively by the CISO; failure to do so could be very costly.