So … someone asked me the following question, so I figured I’d put my answer in a blog post.
In what ways are evolving technology like cloud, AI, IoT affecting the cybersecurity landscape? What kind of cybersecurity threats and risks can they bring to the enterprise?
As technology moves forward, it has huge implications on security.
We talk about AI but what that really is behind the scenes is vast amounts of data. The security implications of the data are significant. We are already training AI to create sentencing systems that are unfair based on the training data. The training data reflect our biases, and then in fact, reinforce them. AI isn’t just in the background either, it is helping to land planes, drive cars, identify faces in video, identify security events and a million other things. Also, many great AI systems now have gaps in explainability – meaning we don’t even know how they know what they are telling us.
As a user of AI, I would be very concerned about the integrity of the training data. Many people believe that we can subvert AI / ML algorithms by feeding them malicious data. Of course, those same systems are still often processing data that comes from users, so as we look at software, we have the problem of separating control from data. The scope and nature of the data sets (often photos, video, etc.) pose new challenges as well. In many cases, security is an afterthought, with access to the data bolted on for users but not proactively designed in.
In terms of the cloud, many things in the cloud give us significant improvements in security. It is easy to pay a little more to have an HSM, a WAFA Web Application Firewall (WAF) is a type of cybersecurity technology designed to protect web applications from a variety of attacks, such as SQL injection, cross-site scripting (XSS), and other common web-based threats. A WAF sits between the web application and the internet, monitoring and analyzing incoming traffic in real-time. It can detect and block malicious traffic before it reaches the web application, providing an additional layer of defense against cyber attacks. WAFs can be implemented on-premises or through a cloud-based service and can be configured to suit the specific security needs of the web application they protect. WAF is often required by security standards such as PCI-DSS., encrypted data, a key management system, centralized log management, etc. That does, however, force us into the major clouds (AWS, Azure, GCP) where these items are offered. Note that the complexity of the cloud is a major concern. We recommend that our clients use the “infrastructure as code” model, and use tools like Terraform or CloudFormation to provision systems. That will allow them to audit, track (and often roll back) changes as needed.
Many organizations embraced cloud as a way to reduce friction, which is another way of saying bending the rules. Without oversight, teams may be creating large environments that don’t follow proper security practices. We routinely find services exposed to the internet that companies weren’t aware of. We see poor password management policies, unencrypted data and lots more. For CIO’s, a big takeaway is to actively manage the cloud. We actually build a product related to cloud security https://jasp.cloud.
A great mini case study is AWS Macie. It reads S3 buckets and categorizes data, then alerts the data owner about what types of data there is and where it moves. Seems pretty awesome and powerful. But if I can read the index, now I know a lot about what data you have and I know it much faster than I did before.
IoT is even more of a problem. Often IoT applies to devices that are hard to manage and weren’t built to be updated. So we see lots of potential vulnerabilities in the IoT landscape. There is also an explosion in the number of devices and a they are connected in much less structured ways – often via relatively open home internet. IoT also comes with custom operating systems, which are often unpatched and ill suited for long term security.
As a takeaway, as more information is distributed to more places, of course this brings escalating privacy concerns. Our position on this is generally to have clear classification schemes that can be applied to data in a consistent way across these different scenarios. And then to use AI in the cloud to find the data. (wink wink)
References