The World Economic Forum ranks cybersecurity threats as one of the major risks to our geopolitical organisation. As the risks increase year on year, it is becoming urgent to guarantee the protection of sensitive data, from proprietary network infrastructures to Cloud access providers. Pierrick Conord, Head of Cloud Security at Sopra Steria France, looks at the best practices to adopt to secure information systems.
The major challenges of cybersecurity today are essentially based on the notion of risks embedded in digital assets. There are more and more attack strategies and methodologies for recovering information in order to sell it on the deep web or to destabilise
organisations. All organisations now, from the smallest to the largest, like Canon recently, are becoming victims of ransomware, with their data held hostage.
Managing compliance and risk in the cloud
The ecosystem of Cloud infrastructures is vast and complex for users to master, and it is imperative to learn about the legislation in force. For example, the providers of the G-suite, Azure and AWS Clouds, namely Google, Microsoft and Amazon, are subject
to US laws and in particular to the Cloud Act, which allows the US justice system to consult all data on servers domiciled in the United States. "I would also like to remind you that it is not the Cloud provider that must deliver the information but
the company that owns the data. We therefore advise our clients to encrypt their data and control access. Regulatory compliance is thus a major lever for Cloud security strategies.
The Cloud Security Alliance lists the main risks to the Cloud as data leakage, infrastructure configuration issues, insecure architectures, and access management issues.
To standardise risk management in the Cloud, globally proven repositories make it easy to define the rules to be implemented in Cloud infrastructures and solutions. Organisations such as the CIS (Center Internet Security) with the Controls Cloud Companion
Guide set up a set of good security practices that are adopted by Cloud editors and suppliers. "CIS compliance for Cloud infrastructures thus represents the first level of security, which allows us to standardise risk management," Pierrick explains.
Good practices on the deployment of secure architectures are also provided in France by the ANSSI (Agence nationale de la sécurité des systèmes d'information), which issues the PASSI qualification to identify cybersecurity audit
providers recognised by the regulator.
Simplifying Multi-Cloud Cybersecurity Governance
The complexity of hybrid and multi-Cloud has broadened the Cloud threat landscape. The integration of on-premises environments with their own security processes based on a "strong castle" approach with Cloud environments that rely on "airport security"
approaches is a real challenge. Deployment processes, environment management, and zoning add a significant level of complexity for IT Departments / CISOs.
In this context, and whatever the IT environment, keeping control of one's infrastructures requires gaining visibility on their level of compliance with the security policy. On the one hand, this means checking for regulatory compliance and, on the other
hand, verifying that the security measures implemented to combat the cyber kill chain are being properly applied. Immediate access to all the indicators then makes it possible to guard against malicious activities on the IS. But when the infrastructure
involves different Cloud providers, it becomes more complex. "You can't multiply the number of tools per platform at the risk of unmanageable cybersecurity governance," explains Pierrick. It is therefore essential to rationalise the tools and simplify
multi-Cloud governance to improve the efficiency of infrastructure control.
What makes the task more complex is the exponential volume of data: all companies are generating more and more information. So, identifying and classifying data necessarily takes more and more time. "We set up a data classification system to organise
the data. From the classification we then formulate a rule to tag/tag the data in an automated way." The technologies come from various vendors and are used to recognise the content of a document or search for certain predefined patterns for example.
"For classic office environments, this method is very efficient." Finally, the result is a complete chain and control of the data with a procedure to be applied by their user, integrated with a more global awareness approach to ensure the protection
of information.
Protecting data and securing applications
Data protection and application security are therefore major levers in the prevention of cyberattacks. With the digital transformation and the interconnection of systems, APIs are increasingly used as entry points to the IS. To protect oneself, there
are various proven and robust authentication mechanisms to control access to APIs. "There is a need for good least privilege practice in applications, to avoid privilege escalation, i.e. a malicious program taking control of a critical part or the
whole application. It is necessary to control the API connection keys that authorise access to an application and to protect their storage with multiple containers that will each have an assigned role.
Also, with the adoption of massive remote work, employees become an attack vector. Various technological solutions exist to best protect access to applications and sensitive information in organisations. The CASB (Cloud Access Security Broker), for example,
makes it possible to control access to company data conditionally. For example, certain privileges allow the data to be read, but do not allow it to be modified or downloaded, for example. Then, to anticipate security incidents as much as possible,
airlocks must be put in place to sanitise the equipment before connecting it to the company network. Finally, other mechanisms also exist, such as DLP (Data Loss Prevention), which tracks and prevents certain behaviours such as data leaks: it makes
it possible to block the transfer of an attachment in an e-mail or to force its encryption.
Managing security incidents quickly and efficiently
In the Cloud, the speed of deployment of cyberattacks is faster than in traditional IT environments. The Cloud requires a shift from a hand-crafted method to a new approach to security incident detection. To manage security incidents quickly and effectively,
the DevOps SOC approach also stands out by combining machine automation of deployments with the intelligence of human experts. "The SOC allows us to detect potential dangers upstream, in particular by relying on repositories such as the Mitre Att&ck
matrix, which classifies different attack techniques and tactics," analyses Pierrick. The architecture must also be secured "by design" to limit the additional human and financial costs during the production phase. However, daily checks are still
necessary afterwards to verify the security scores indicated by all the platforms and access providers.