IT security during lockdown
In recent weeks, we have seen technology teams being more inventive than ever to support new and virtual ways of working at scale and speed.
Unsurprisingly, concerns regarding security have been quickly raised, with some acting malevolently to exploit vulnerabilities on the back of this expedited pace of IT deployment. As a result, this may leave some architectures ripe for exploitation.
However, it’s important to remember that while Covid-19 may have accelerated adoption of new technologies, the direction of travel has not changed; businesses were already on the path to adopting flexible ways of working and making more services available digitally. To do so, many organisations are already using software reliant on the public cloud and have adopted hybrid models enabling scalability and flexibility.
Those further along in this process will have adapted to new ways of working relatively easily and be the most secure, largely because they have addressed the shared responsibility model. Everyone else must focus on balancing responsibility correctly to reduce potential security risks.
The cloud has fundamentally changed security. Traditionally, when an organisation ran their own IT services there was little shared responsibility – the IT team owned it top to bottom. In this situation however, many deployments didn’t consider the foundations there to support it such as network protection, access management, or compliance – certainly not in the long term. They were protected by firewalls, intrusion protection, proxies and other systems that existed within the perimeter of the organisation.
With the cloud, many infrastructure responsibilities are taken on by a cloud provider, but there is a major grey area in this. Cloud service providers like Amazon and Microsoft are clear in their documentation on where this line is, however, if there is limited understanding in some organisations they may be hoodwinked. The challenge is that the guardrails around network, access and compliance aren’t there by default and the skills to put them in place in the cloud may not exist in the organisation. Whereas previously this would have meant the service couldn’t go live, now it just takes a credit card and a small bit of knowledge – so the risk is much higher.
In this situation, managed service providers can be a godsend as they have a great understanding of how the responsibility models work. They also can invest more time and effort into understanding your particular organisation, providing an independent check to ensure you are on the right path.
Shining a light on this potentially murky area of shared responsibility is the key thing organisations can do to ensure that security is not inadvertently compromised during this period and that solid foundations are there for the future.
● Vicky Glynn is product manager at Brightsolid.