Cloud Security Roundup: New Guidelines for Zero Trust Architecture, the Cost of Cybercrime, and More
Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the cost of cybercrime, the number one threat to the cloud, NIST’s new guidance on zero trust architecture to fight cybersecurity threats, and more.
One minute may not seem like much, but a lot can happen in 60 seconds, especially on the internet. According to RiskIQ’s 2020 Evil Internet Minute report, cybercriminals cost victims $11.4 million every minute, particularly during global events such as the COVID-19 pandemic and the accompanying security threats.
The report, which gathers data on the associated costs of cybercrime and threat attacks over a year, revealed that organizations spend $24.7 every minute to compensate for malicious activity that threatens security. Compared to last year, that’s an increase of more than $2 per minute. In the time it takes to reply to an email, a malware attack costs organizations an average of $4.95 while the average cost of privacy compliance costs only $1.18.
“The sheer scale of today’s threat activity is driven by a variety of factors, including that cybercrime is easier than ever to participate in and better threat technology makes cybercriminals more effective and wealthier than in the past.”
– Lou Manousos, CEO, RiskIQ
As data management evolves, so do CISOs’ priority lists. While privacy and security have long been top of mind, the ethical use of data has recently become a notable point of discussion for InfoSec professionals. Data ethics asks the question: is your organization protecting sensitive data to the best of its ability?
“Security has always been intimately involved in taking responsibility for the confidentiality, integrity and accessibility of data and I do not see that changing,” said Steve Durbin, managing director of the Information Security Forum. “But as we move more into the realms of privacy by design, there will increasingly be a need for the CISO to be working closely with the Chief Data Officer.”
Regulatory bodies and consumers alike are concerned with how data is handled and potentially misused, the primary concern being privacy. If personal information isn’t managed responsibly, organizations face a loss of trust, reputational damage, non-compliance fines, and revenue loss.
The proposal of a California Privacy Rights Act (CPRA) has many questioning whether CPRA will replace the California Consumer Privacy Act (CCPA). CPRA aims to address the collection and use of network activity and identity information, and while it shares similarities with CCPA, the two acts differ in multiple ways. CPRA builds on CCPA by adding new consumer rights to prevent businesses from abusing personal information. It also aims to protect children’s privacy by tripling fines, extend the exemption for employment data, and implement the California Privacy Protection Agency, which would protect consumer rights and give consumers more control over their personal data.
Notable additions of CPRA that go beyond CCPA’s scope include:
- Increased consumer control over personal data
- Extended coverage for consumers, customers, and employees
- Third-party security requirements including specific references to mandatory controls and security expectations
For CPRA to go into effect, it must pass in November on the California ballot.
Brazil’s proposed data privacy law, LGPD (Lei Geral de Proteção de Dados Pessoais), has encountered a few setbacks since it was passed in August of 2018, but it is set to go into effect before the end of 2020 upon the president’s approval.
Like the EU’s GDPR, the LGPD aims to consolidate and supplement more than 40 various statutes that govern Brazilians’ personal data. LGPD would apply to businesses that process personal information of Brazil residents, regardless of the organization’s location, which is another common trait it shares with GDPR and California’s CCPA.
While the law is set to be passed in 2020, enforcement is not slated to begin until August 2021.
IT professionals recently declared misconfiguration to be the prevailing threat to cloud security, according to the 2020 Cloud Security Report by Check Point. Misconfiguration of the cloud puts an organization at risk for a breach and non-compliance because it creates gaps in security controls, leaving the door wide open to insider threats or external attackers.
According to the report, the top four threats to the cloud include:
- Misconfiguration (68%)
- Unauthorized cloud access (58%)
- Insecure interfaces (52%)
- Account hijacking (50%)
“The report shows that organizations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches,” said Check Point’s TJ Gonen. “Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes.”
To close security gaps, organizations need in-depth visibility into their cloud environments and automated monitoring programs that reinforce compliance and analyze threats to prevent risk like misconfiguration.
The National Institute of Standards and Technology (NIST) released a finalized version of their guidelines for zero trust architecture (ZTA), which outlines recommended cybersecurity measures for organizations. A “zero trust” model aims to reduce risk and cybersecurity threats by shifting the focus from static, network-based permissions to user, asset, and resource-based permissions. Given the prevalence of remote workers, bring-your-own-device policies, and use of SaaS applications for mission-critical activities, NIST recognized the need to examine access to resources like assets, workflows, and network accounts rather than network segments because network location has taken a backseat to other cybersecurity concerns.
With deployment models and use cases, organizations can use NIST’s guidelines on zero trust architecture to improve their overall information technology security posture.