Cloud-computing models have always made a good case for themselves. While the coronavirus outbreak undoubtedly accelerated migration, the market for cloud services was already strong enough in 2019 to attract serious players.
According to Synergy Research Group, more than 100 new hyperscale data centres have come online worldwide during 2019 and 2020. And 52 of these were launched last year, despite COVID restrictions.
Pre-COVID demand for cloud in the Middle East was strong enough to entice AWS, Microsoft and Oracle to build cloud-location facilities across the Arab Gulf region. These services played a major role in operational continuity when lockdowns were announced.
Necessity had driven the migration, but business stakeholders across the region soon saw the benefits of cloud. However, many also understood one of the main drawbacks of migration. For example, as recently as April, IDC reported that while one in four Saudi businesses were examining the prospect of hybrid cloud infrastructure, one of the main stumbling blocks to implementation was still cybersecurity.
Some of the earliest analyses of cloud computing balanced the benefits of business agility, control over IT costs and significant reductions in complexity with the spectre of the threat landscape and its attendant digital marauders.
These concerns were justified by the surge in cyberattacks that occurred regionally — and worldwide — amid mass cloud migration in 2020. In the UAE, authorities reported a 250% increase in attacks last year, with the government’s head of cybersecurity citing phishing and ransomware and strongly tying the spike to remote working.
Holding the line
But none of this will stem the tide of cloud journeys. By May 2020, IDC had upped its projections for cloud investment in the Middle East Turkey and Africa (META) region to US$6.5 billion by 2024. Enterprises are always going to chase those benefits of a better equipped workforce, cost-efficiency, and agility.
But cybercriminals have never been known for allowing us to enjoy advantages without looking for some of their own. They even used the pandemic itself to lure unsuspecting prey into revealing cloud credentials.
So, cyber-miscreants in search of a payday are not going to back off any time soon. They are continually in pursuit of the 21% of data out there that is categorised as critical and not intended for third parties. Sometimes this data is shared among colleagues through insufficiently protected links — a vulnerability well known among bad actors.
And cybercriminals have many other methods of stealing credentials. Social engineering is a time-honoured classic that tricks people into thinking they are communicating with trusted entities. Telephone calls or phishing emails can lead unwary employees to visit treacherous websites or to open infected files. After that, the corporate network becomes a playground for malicious parties.
Incidents set to mushroom
Technology stakeholders must also deal with shadow IT — hardware and software that has not been vetted and may prove to be unsafe. Personal devices that are not under the auspices of corporate IT have the potential to run any number of unsafe or unpatched applications.
Nefarious activity costs real money in the real world. And it is only going to get worse. One estimate from Cybersecurity Ventures predicts a cyber incident will occur every 11 seconds in 2021; and the cost for the global economy will reach US$ 6.1 trillion, which is double the cost of 2015. If bad actors were to form their own country, that US$6-trillion economy would comfortably beat Japan for the world’s number-three spot.
The cost of troubleshooting, losses of business-critical data, work interruptions, operational downtime, and brand tarnishing — it all adds up. And service providers must pour more and more money into R&D for secure infrastructure.
Cybercriminals rely on two things: ignorance and inaction. Some organisations are simply not aware their defences are inadequate. Others know, but fail to act, either because of a lack of budget or because of a lack of corporate will.
The right way
Some, however, have developed the capability to protect their data effectively across all endpoints, network paths and the cloud. They use consistent security policies to get the job done. They recognise that digital-transformation strategies without explicit security policies are meaningless. The cloud journey needs to be secure before a step is taken towards implementation.
Questions must be asked of the provider. What security measures do they have in place? How does the customer fill the gaps? With applications? With corporate policy? In short, where do the provider’s responsibilities end and the customer’s begin?
Any additional technology must allow for a holistic approach to security. Multivendor setups breed data silos that cannot share intelligence with one another. And new-normal ecosystems have several points of vulnerability — end devices, data in transit, and cloud infrastructure.
A device-to-cloud view that combines the capabilities of data-loss prevention (DLP) solutions, cloud-based secure Web gateways (SWGs) and cloud access security brokers (CASBs) is preferable. This allows the protection of data at every storage location and over the whole transmission path. It also gives transparent oversight of the entire cloud infrastructure.
DLP allows IT teams to implement security policies at a local level, while CASBs do this for the cloud, using SWGs to police traffic between endpoints and the cloud data centre. IT admins can also assign tighter privileges for users to run applications on an as-needed basis.
Bad actors are persistent and adaptable. Enterprises must find new ways of out-manoeuvring them. By ensuring that all infrastructure components are covered and that employees are well-versed in best practices, the cloud-ready business can establish a comprehensive security strategy.
Holistic solutions provide the transparency needed to give IT departments full control of the corporate ecosystem, after which the cloud can serve as an incubator for innovation rather than a plaything for bad actors.
