Who Is Securing Our Systems?
With distributed cloud-oriented environments, confusion is inevitable on the IT security side.
The Question of Security
With compute environments being so distributed and so cloud oriented, confusion is inevitable, particularly on the security side. Within organizations, applications and data are split between on-premises systems and the cloud. Not just one cloud. Many organizations operate multiple clouds or subscribe to services from a great many providers.
And then there is the software and services supply chain. It is no longer usual for one provider to take care of everything. A great many vendors are typically involved in various workflows and systems. Providers like Kaseya and SolarWinds, for example, provide underlying systems that other software relies upon. Remote monitoring and management systems like these are used by countless enterprises and vendors as part of their external or internal offerings.
Managed service providers (MSPs), too, rely on such applications to take care of software delivery and general remote operation. This enables them to focus on their core competencies such as backup, security, or CRM. Even internally within organizations, there tends to be a reliance on a variety of systems to be able to remote into employee devices, deliver updates, and more.
Bottom line: This labyrinth is so pervasive that it is very hard to keep track of who is exactly doing what. And who is responsible for which functions.
This is bad enough on general IT management. But when it comes to security, the repercussions can be disastrous. The lines of demarcation on security duties must be well known.
This problem has already come to head following some well publicized cloud breaches. Some enterprises blamed their cloud providers for attacks, only to be quoted the fine print about what the cloud provide was actually responsible for. Yes, they secure their own clouds. Yes, they provide a series of cloud features. And yes, they promote these in ways that may make it seem that they cover all aspects of security. But they don’t.
The user is usually responsible for the integrity of the files being sent to the cloud i.e., ensuring no malware lurks inside. Further, some cloud providers hold the user organization responsible for encryption of files being sent to the cloud.
In other words, the delineation of duties isn’t always clear. Hence, someone in IT might be asked, “who is securing our systems and our data?” And the response might be, “I thought the cloud provider was doing that.”
Cybercriminals Taking Advantage
The software and IT services supply chain now sprawls across all corners of the web. And the cybercriminals are capitalizing on the grey areas between providers and client organizations to find zones that “fall between chairs.” Each party thinks the other one is taking care of that security function. The Kaseya and SolarWinds hacks were only the beginning. They showed the bad guys that it was far smarter to hack one company and have its supply chain network distribute that software to large numbers of organizations.
No wonder supply chain breaches are exploding. An NCC Group paper found that cyberattacks on supply chains increased by 51% between July and December 2021, based on a survey of 1,400 cybersecurity decision-makers at organizations with over 500 employees in 11 countries. 36% believe they’re more responsible for preventing, detecting, and resolving supply chain attacks than their suppliers.
However, 53% say both their company and its suppliers are equally responsible for the security of supply chains. Nearly half say they don’t stipulate security standards for their suppliers, and a third don’t regularly monitor and risk assess their suppliers’ cybersecurity arrangements.
As more supply chain breaches happen, though, awareness of this problem area is rising. More companies are recognizing supplier risk as a key challenge. They plan to increase security budgets by an average of 10% this year.
Take Charge of Your Own IT Security
Anyone utilizing the cloud is advised to carefully weed out any ideas within the IT ranks that someone else takes care of cloud security duties. It is up to IT to secure its own systems, data, devices, and identities. And to define exactly what providers do and don’t do with regard to security. Assume it is NOT secured unless you have a guarantee in writing from the provider. Be tenacious in hunting down the facts about the division of duties.
Syxsense provides SaaS and MSP-based security services that automatically take care of functions such as endpoint management, mobile device management, patch management, vulnerability scanning, and remediation.
To take one example: In patch management, Syxsense guarantees to test and critical patches within four hours of their release. It automatically deploys patches based on a priority system to safeguard all organizational systems and devices by providing the correct updates and patches.