Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The adoption of cloud services is core to the Australian Government’s digital transformation strategy. Cloud services yield faster service delivery for agencies and ensure organisations only pay for what they consume. Yet, this shift to cloud introduces a degree of risk and uncertainty that needs addressing, so let’s look at this risk in terms of merging the Government’s foremost cyber security advice with the Digital Transformation Agency’s cloud-first strategy. Read more to understand how the ASD’s Essential Eight supports the Australian Government’s move to Cloud.
It’s no secret that government departments have to assure the data they handle, given much of this data is confidential employee or citizen data. When information is moved from a locally-managed datacentre, where the agency had full control of its ICT stack, to the cloud, physical systems might now be collocated alongside other customers’ systems. Disparate software-as-a-service capabilities, sourced from multiple providers, will come together on the desktop or lower down in the stack.
Understanding who is responsible for which parts of any solution is important when it comes to cyber security, agencies need to de-clutter their thinking about all this new technology to focus on getting security right, no matter how the services are wired up. Ongoing diligence is required as digital transformation will significantly change your cyber attack surfaces.
Last year, the Australian Signals Directorate (ASD) published its flagship cyber security advisory, known as The Essential Eight: Strategies to Mitigate Cyber Security Incidents. In this publication they identify eight critical cyber security controls which they claim, if implemented, will protect an organisation from over 85% of attacks. Yet, the move to as-a-service models literally clouds the understanding of what cyber security means to an organisation, so clarity is required.
Some think that by outsourcing to a cloud provider, the old security considerations are no longer relevant, and now it will be the cloud service provider that keeps their data safe. This thinking is dangerous, you can’t simply outsource risk. The majority of cloud providers protect only the containers their services reside in (i.e. the tenancies for any given service and customer). The important stuff (the data and configuration) within that container remains the responsibility of the client, and is normally excluded from any service contract.
An organisation’s compliance requirements against legislation and governmental rules won’t change, even when the way ICT is procured does. Organisations will remain accountable for their data.
If an organisation decides to move its Windows server infrastructure into the cloud, the hardware and management interface for these servers will be handled by the cloud provider. While that certainly reduces the organisation’s capital expenditure and operating overhead of running a physical datacentre, the configuration of Windows Active Directory, the group policy settings and management of antivirus software and systems patching absolutely remain the organisation’s responsibility. This is why transformation requires careful planning and implementation. It’s not as easy as simply migrating from an on premise to a cloud based platform, maintained by someone else.
Organisations need to work with their cloud service providers to model the new paradigm. They need to understand their changing risk profile and how to manage it. Whether cyber security was previously provided in-house or outsourced to an MSSP, the same levels of monitoring and risk management within the cloud services is required.
Using the Essential Eight as a cyber baseline of controls any changes in security posture can be measured to ensure the maintenance of an appropriate and ongoing level of protection, even as the organisation’s ICT infrastructure and software moves to the cloud.
Looking specifically at each of the ASD Essential Eight security controls, they are just as relevant in the cloud as on premise in maintaining sound measures of an organisation’s security posture:
Application whitelisting should still be used to prevent unauthorised applications being installed on cloud-hosted systems. Just because it’s in the cloud doesn’t mean you can safely ignore this control. If you are using a cloud-hosted Windows server, it’s easy enough to use Microsoft App Locker as your initial defence.
As with Application Whitelisting, there are a few changes to consider in the approach to restricting administrative privileges as you move from an analogue operating model. You’ll need to ensure restrictions are afforded to all privileged accounts and control over system administrators activities is maintained.
Patching the operating system protects it from known vulnerabilities. This becomes an issue where cloud systems are software-as-a-service (SaaS) rather than infrastructure-as-a-service (IaaS). If the software is delivered as SaaS, the service provider will be responsible for applying the patches themselves, but organisations should still ask for evidence of patch deployment.
At the IaaS level, patching remains the responsibility of the customer, so all cloud based servers need patch monitoring just like servers were in a local datacentre.
Like operating systems, application patching needs to be monitored on a regular basis. If a provider offers SaaS, it’s important that the customers know what’s happening across the environment and have the providers regularly show evidence of good security hygiene. If the service is IaaS, again the agency is wholly responsible for application patching.
Untrusted Office Macros can be problematic as they perform malicious actions on the supporting systems. If a desktop system interacts with a cloud server, a malicious script could easily harm that service. Organisations, therefore, must expect to lock these down in a cloud environment, just as they would on a local ICT platform.
In an IaaS model, user application hardening is as important as it is for local servers. Nothing has changed, except the physical location of the server. Applications need to be locked down and made safe for users; a full review and uplift in security configuration should be undertaken by experienced security professionals.
Multi-factor authentication is more important in the cloud than in a local system under an organisation’s control. As every cloud-hosted service is accessed via the Internet, multi-factor authentication significantly strengthens the identity and access architecture layer of the enterprise.
If a failure results in an attack that renders a system unusable or its data corrupted, recovery remains an important matter. Many cloud service providers offer clients backup and recovery options on top of their basic service, and these options should provide visibility of the current state. If data is lost and cannot be recovered, the organisation will be significantly harmed.
Drucker famously said “you can’t manage what you can’t measure”. The Essential Eight security controls are important measures of your entity’s posture, whether it’s IT operations are on premise or in the cloud. As analogue business models transform to more scalable, flexible and cost effective platforms, the implementation and management of sound security policies and frameworks will remain the key enabler for cloud based operations.
With the ASD Essential Eight being recommended for adoption across Federal government and the commercial sector, compliance will be provide a true measure of an organisation’s cyber posture. It will also be a vital management tool in the active ongoing pursuit of digital transformation.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.