Battling relentless nation-state hackers takes security expertise. Unfortunately, demand for expertise constantly increases, without enough experts to keep up with its growth. That’s why Jonathan Nguyen-Duy, Fortinet Vice President of Strategic Programs, says organizations must seriously consider outsourcing cloud services as part of their security program. When outsourcing, select established cloud services that can prove they have certified people, processes, and facilities using best-in-class technology.
We spoke with Mr. Nguyen-Duy about the specifics of building a cloud security program. He had a lot to say
STEP 1: UNDERSTAND YOUR RISK PROFILE
“Organizations expect CIOs to support digital transformation goals that enhance business processes and create new business models, revenue streams, and customer engagement channels,” says Nguyen-Duy. “The cloud is the fastest, most effective way to meet those goals today.” Understand your risk profile and security goals before you move to virtualized solutions. Consider cloud service providers that execute security controls and governance objectives equivalent to an in-house private cloud.
STEP 2: DIVIDE AND CONQUER
Segmentation is the second essential element of cloud security. Divide the ecosystem into trusted networks of approved, certified devices and untrusted networks, such as the home or the Internet of Things (IoT) edge. “Along with segmentation comes visibility, so you can understand what’s happening across all networks and allow trusted networks to communicate with the rest of the ecosystem while preventing untrusted networks from doing so.”
Many companies now virtualize and distribute their data. “Instead of putting all their information into a single network, they spread it over multiple clouds and networks, with automated visibility and detection across all of them.” Segmentation makes it almost impossible to compromise an entire ecosystem. “You can also distribute the control nodes so there’s no way a Distributed Denial of Service attack (DDOS) or malware will bring down the entire enterprise.”
Visibility also allows more opportunity to respond, so if malware detonates on one network, you can firewall off that segment and limit the damage.
STEP 3: SIMPLIFY, SIMPLIFY, SIMPLIFY
“Complexity is the enemy of security,” says Nguyen-Duy. Fortinet solutions slash security complexity with an open framework of Application Program Interfaces (APIs) and pre-integration with best-in-class third-party technologies and cloud service providers. “Fortinet partners with Amazon Web Services and Microsoft Azure so the same security capabilities on-premises are available throughout the hybrid cloud.” This enables seamless movement across the private and public cloud with the same visibility, automation, and response capabilities.
STEP 4: DODGE MOM-AND-POP CLOUD PROVIDERS
“Public organizations should demonstrate a reasonable level of due care,” says Nguyen-Duy. Select service providers that use best practices and controls such as those in the National Institute of Standards and Technology Cybersecurity Framework, ISO/IEC 27000 series, Center for Internet Security Controls and other industry standards. Employ certified security professionals and contract with a reputable auditing firm that attests to the adoption and implementation of these controls and best practices.
“When moving to the cloud, determine your risk profile, security, and compliance goals; the business outcomes you’re looking to achieve. Then choose cloud service providers certified and able to execute those goals across the environment,” says Nguyen-Duy. Offshore locations and government standards add other layers of complexity. Cloud providers should be able to produce reports to show their proficiency in handling these unique, complex regulated environments.
STEP 5: OUTSOURCE SECURITY WHERE POSSIBLE
Fortinet offers a service called the Cyber Threat Assessment Program, which analyzes an enterprise’s network traffic to generate reports on network performance, security, and privacy control effectiveness. These findings provide IT professionals with an in-depth evaluation of their current state security posture to determine the steps needed to get to the desired state. Base your decision of whether to outsource cloud security on your understanding of the organization’s goals and risk.
“In-house solutions are daunting. There aren’t enough people in the job market with top-notch cyber security skills and even fewer with skills plus more than ten or fifteen years of experience,” says Nguyen-Duy. “That’s why organizations should consider outsourcing security functions to service providers with the expertise they can’t afford to recruit themselves.”
STEP 6: ASSUME YOUR NETWORK IS INSECURE
Nguyen-Duy has witnessed multiple environments believed to be closed to the public internet only to find connected devices communicating with bad actors around the world. “We could actually see data exfiltration in action,” he says. “I’ve also seen organizations that never measured the volume of north-south traffic in and out of the data center and east-west traffic among virtual machines. Others failed to question a cloud provider about how it maintains segregation and segmentation across virtual machines and clients. Who owns the data when you terminate your cloud contract? Many organizations don’t know.”
No device, system or network is 100% secure against determined, advanced threat actors. Top-tier threat actors can break into any network.
Across dozens of industry reports and studies, cyber defenders do not keep pace with the velocity, variety, and complexity of threats. The traditional enterprise perimeter is effectively gone – physically, as we move toward private and hybrid cloud solutions and logically, as more holes open to support external communications. With the traditional perimeter gone, why continue to focus on perimeter-based security strategies as defense?
WHAT TO DO NEXT
Viable, effective security strategies include the cloud. “Companies understand that sophisticated nation-state actors, such as China and Russia, can break into any enterprise network,” says Nguyen-Duy. “Instead of putting all their information into a single network, they spread it over multiple clouds and networks, with automated visibility and detection across all of them.” These strategies make it almost impossible to compromise an entire ecosystem.
Distribution raises the opportunity cost for the hacker because a zero-day exploit has diminishing practical value after the first victim. Used together, network distribution, segmentation, and virtualization reduce your risks.
“Understand that the goal is risk management,” says Nguyen-Duy. “You can manage risk with best-in-class service providers, products, and practices. In the long term, that’s much more cost effective than hiring expensive people who are often not even available.
View a sample report from Fortinet’s Cyber Threat Assessment Program