This week, choose one of the following new trends, and relate what the business implications (benefit, risk, threat) of the new trend. If this is a risk or threat to the organization, why does the organization accept the risk, or what else does the organization do to minimize the threat?
- Cloud Computing resources
- Internet of Things
- Mobile Devices
- Changing Privacy Legislation
Kelly Sharadin says
Cloud Computing resources provide organizations many benefits such as instant scalability, modular pricing, and less administrative overhead when managing on-premise assets. However, organizations also transfer tremendous control and reliance onto cloud providers. Organizations that rely on business productivity SaaS providers like Microsoft 365 and Google Workspace depend entirely on those providers maintaining the 24/7/365 availability of those platforms. Organizations accept the risk that these platforms may become unavailable from time to time or become vulnerable to attacks but how many organizations have backup plans in those scenarios? I believe risk management should begin to account for and calculate lost profits due to such scenarios to help executives understand the risk of solely relying on cloud products.
Shubham Patil says
Kelly,
Cloud environments are complex. Understanding what’s happening within them can be a real challenge, there are a lot of monitoring and visibility tools offered by cloud and third party vendors, these tools empower you to detect and respond effectively to live risks when they arise.
Anthony Wong says
Kelly,
You pose a great point for organization’s leveraging a COTS SaaS solution. There’s not much organization’s can really do in order to combat this. As you mentioned, most organization’s are definitely not ready for long term downtime for these critical applications. Organization’s are definitely out of luck in this scenario. However, these situations should be considered BEFORE moving to the cloud. Throughout this analysis, the executives may discuss a private cloud may be better suited for their business purposes.
Mohammed Syed says
Agree. We know currently after the covid-19 pandemic maximum organizations host their IT environment on the cloud. After could adoption, they increase flexibility productivity and reduce costs, and increased remote working. But with major advantages cloud generates critical security threats which can damage business reputation and goodwill like data breaches or leakage, credentials access, insecure API, system vulnerabilities, accidental cloud data disclosure and so many other new could threats.
Mitchell Dulaney says
Kelly, you’re right that organizations that contract with cloud providers put themselves at risk of downtime experienced by those platforms. While it is certainly important that organizations establish business continuity plans for those scenarios, it’s also important to recognize that organizations hosting their own services would likely experience some downtime themselves, and perhaps more downtime than if they had gone the cloud service route.
Shubham Patil says
Businesses need to understand the impact of the new combinations of technology layers, and how they work together. A crucial part of this is analyzing and assessing the risks involved. The emergence of cloud computing is a fundamental shift towards new on-demand business models together with new implementation models for the applications portfolio, the infrastructure, and the data, as they are provisioned as virtual services using the cloud. All organizations, large and small, need to establish the right decision framework and governance mechanisms to use cloud computing successfully. These rely on an ability to analyze and assess the risks. The security risks of moving to cloud-based models are high, but can be minimized by adopting certain strategies. In order to allay the fears of security risks, businesses are required to evaluate risk mitigation strategies and de-risking strategies. After migrating to cloud-based deployments, it is essential for businesses to engage in active risk management and spend time monitoring the cloud.
Anthony Wong says
Shubham,
I agree that mitigation strategies and controls must be implemented when moving to the Cloud, but by the nature of cloud computing, an organization will never have the same amount of control compared to on-prem. The only deployment model that mimics on-prem is their very own private cloud, but in that case they lose some of the benefits of the cloud. Furthermore, some cloud service providers like Amazon and Microsoft would not give you the right to audit in the contract to monitor their cloud.
Shubham Patil says
Anthony,
You are right, That is why its important to review SLA’s and security whitepapers of these cloud providers before agreeing to use their services.
Antonio Cozza says
Well said, one of the strongest controls an organization has when choosing a service provider to manage a service is to ensure that everything is mutually understood and agreed upon by both parties in the SLA so that there are no surprises later down the line.
Mohammed Syed says
Also, Organizations need to provide security awareness training periodically to the employee to be aware of new threats in IT, need to patch devices use in cloud connectivity, and adopt more security devices, software, and technologies to protect the organization’s Information Security.
Shubham Patil says
Mohammed,
Most of the cloud providers offer automated patching and maintenance services which should be utilized by organizations to never miss critical patches.
Mitchell Dulaney says
Hi Shubham, you’re absolutely right that organizations that plan to move to cloud computing for the first time must establish new frameworks and governance processes. On-premises information systems poses very different benefits and risks to an organization from cloud-based systems, and those differences require changes to management procedures to properly capture the benefits and mitigate the risks.
Vraj Patel says
Hello Shubham,
I do agree that assessing and analysis the risks with the new technology would be crucial, specifically with the IoT devices. IoT devices make it more difficult for the company since if they are not properly managed, there might be many IoT devices linked to the network that could potentially provide the attacker an access to the companies network.
Anthony Wong says
Cloud computing resources provide a tremendous amount of benefit to businesses due to its ability to allow organizations to rapidly scale up IT resources, on-demand self service capabilities, and the benefit of measured service to only pay for the resources used. Additionally, it reduces facility and hardware costs of needing their own data center. One of the main risks enterprise’s who are looking to transition to the cloud and utilize its benefits is multi-tenancy in the public cloud. Multi-tenancy in the public cloud poses a risk because of multiple tenants data stored on a single hard drive. This is done through virtualization, which enables the cloud service provider to partition the hard drives to store client data. Furthermore, the data is dispersed throughout the public cloud and is unknown the the cloud consumer where the data is stored, which makes it even more difficult for the consumer to keep track of its data.
Mohammed Syed says
Yeah, Anthony, It is true statement cloud services provide so many benefits for an organization to provide flexibility in business so organizations accept the risk and start work on the cloud environment against the lockdown challenges and better functionality of the cloud.
Antonio Cozza says
It is undeniable that cloud computing has had a massive impact on businesses worldwide due to its resourcefulness in cutting costs at large and delivering IT value without the direct need for quite as much purchased infrastructure. The issue of multi-tenancy in public cloud environments has major impacts and complications especially in the event that a certain organization has a breach; in many cases forensics would be difficult to perform as the drive would not be able to be obtained in a simple or timely fashion as the other organizations with content on the drive cannot be taken offline.
Mitchell Dulaney says
Anthony, you make a good point regarding the lack of transparency an organization has when they contract with most cloud providers. A company is typically accepting the fact that they won’t know exactly where their data is being stored, or what other organizations’ data are being stored alongside theirs. It’s important to identify in the contract what information the client company will and won’t have regarding these points.
Mohammed Syed says
In remote work, most employees use personal devices to work from home, which increases the threat to the organization and also stretched the limit for the IT security team, causing an increase in the chances of different phishing scams, and it is difficult to track, personal devices offer less security than company hardware devices such as network vulnerability, home router security, threat mitigation techniques and many more, the mobile device is one of the insecure access points for access cloud services where an attacker can easily identify and breach that vulnerability. This scenario is very dangerous for any organization if attackers target a large database through the weak link, then it’s a heavy impact on the organization’s regular work, finance, and reputation.
Kyuande Johnson says
Personal devices can introduce many security concerns for organizations that allow the use of personal devices for work-at-home purposes. The use of personal devices will decrease the organization’s cost of equipment but also introduces a world of security concerns. The use of these personal devices is not managed to mean many employees will be utilizing outdated operating systems and software. To ensure the security of the organization, when enabling employees to utilize personal devices for work use. there must be security controls in place that prevent the use of outdated operating systems and software before its able to connect to the internal network.
Mitchell Dulaney says
Like many other technology trends, use of mobile devices in the enterprise provides many benefits to organizations, while also posing risks and enabling threats that companies didn’t previously face. The incentives to allow (or facilitate) employees’ use of mobile devices are significant. When staff can answer emails, take calls, or even perform other parts of their job 24/7 from any location that has cellular service, it can greatly improve productivity and workplace efficiency. The benefits grew even further when most workplaces moved to remote work-from-home environments in response to the Covid-19 pandemic. Employees being able to use their personal or organization-owned mobile devices improved their ability to make that transition.
On the other hand, there are great risks associated with using mobile devices for work purposes. Phones, tablets, and laptops are much more vulnerable to theft by virtue of their small size. They are also likely to be taken to public locations, which makes them more likely to go missing by accident or to be stolen. The distance between the organization’s physical location and the mobile devices also creates challenges with managing the devices (if they are owned by the organization at all). Mature information security programs will require the organization’s mobile devices to be enrolled in a mobile device management (MDM) system, which is a way of mitigating many of these risks. MDM systems can facilitate remotely wiping or locking a device, can enforce the use of encryption on devices, and can enforce application whitelisting or blacklisting to better control what software can be installed on devices.
Kelly Sharadin says
Hi Mitchell,
The push for remote work has absolutely made MDM more relevant than ever. What becomes even more challenging is when an organization is on a “bring your own device” model. A BYOD workforce really blurs the line between personal and corporate data. I think BYOD is great for ramping up small businesses but overall its unsustainable as the organization scales.
Kelly
Antonio Cozza says
I agree Mitch, mobile devices are an interesting now aspect in organizational security; while they provide many new convenient avenues for employees, they also open the likely possibility of increased shadow IT which is seen as a risk to an organization’s security.
Kyuande Johnson says
Great points Mitchell,
Due to the vast majority of the population (Over 90%) having access to a mobile device. This security concern should always be addressed within every organization as Mobile Devices introduce additional security concerns such as a device being lost or stolen. Sensitive information could be contained on the mobile device and if stolen would cause a breach. Mobile devices are suitable for additional social engineering attempts compared to a laptop. Mobile devices contain email, text messages, and calls, which are features attackers can use to perform social engineering attacks.
Vraj Patel says
Hello Mitchell,
I sure do agree that the mobile devices provide more benefits to an organization, and it possesses a risk as well. If they devices is lost, then the data saved on those devices could be at a risk. One of the ways to manage the risk with mobile devices are implemented a Mobile Device Management (MDM) solution to track, monitor, and implement an proper security within mobile devices.
Antonio Cozza says
This week, choose one of the following new trends, and relate what the business implications (benefit, risk, threat) of the new trend. If this is a risk or threat to the organization, why does the organization accept the risk, or what else does the organization do to minimize the threat?
The internet of things has become an interesting topic in cybersecurity since it has grown to exhibit a massive attack surface for threat actors due to the nature of how such devices have been implemented into networks – notoriously less secure mainly due to the goal of interoperability and open + easy connectivity between network devices. Many choose to use IoT devices for the appeal of useful features however they inevitably come with a greatly increased attack surface and therefore must be implemented into environments with due diligence in securing them. Healthcare organizations for example use IoT devices for useful things like real-time location monitoring of medical equipment. There are many different types of IoT devices in this industry in particular which contain different types of sensors that overall seek to improve identification of certain risk factors and monitoring levels of a variety of things on medical equipment. Because they are communicating with such sensitive information, they will need to be protected from many angles to be in compliance with healthcare regulations like HIPAA. Some primary defensive items to consider for IoT devices include network access control, network (micro)segmentation, changing default credentials (despite this being painfully obvious), and ensuring that patches are implemented when available.
Mitchell Dulaney says
Hi Antonio, I hadn’t considered the fact that healthcare might be the industry that is benefitting the most from the rise in IoT devices. However, this is contrasted with the reality that IoT devices, due to their very nature and the hardware limitations that come with their functionality, are difficult to secure. Healthcare organizations must be very cautious when integrating IoT devices into any environments that handle personal health information.
Vraj Patel says
Hey Antonio,
The IoT devices does increase an attack surface for an organization. As they it would be harder to keep an track of them and patch them regularly to secure them from any vulnerability.
Vraj Patel says
Internet of Things (IoT) devices are the once that has the ability to perform certain task and be able to connect to the internet to allow users to access and monitor those devices such as thermostat, smart light bulb. Those devices often don’t have the proper security measures; therefore, they would not be encrypting the in-transit traffic. It would be a risk to the organization that would be using those devices as the could be sending over sensitive data in a plain text allowing someone intercepting the traffic a full access to that data. If Iot devices are not secure, then an attacker could also take control of that device and use that as an botnet to perform an DDoS attack.
Kyuande Johnson says
Great Points Vraj,
Internet of things (IoT) introduces a wide range of security issues. Due to the limited features of (IoT) devices. Many contain outdated operating systems and software. Which attacks could exploit if a vulnerability is found These updates are not produced often so many IoT devices contain a long list of exploitable vulnerabilities due to the amount of time it takes to create patches.
Kyuande Johnson says
Mobile Devices can become a major security concern even if an organization prevents them from connecting to the network. Every organization should account for the security of mobile devices when evaluating security within their environment. Vast majority of working professionals have personal mobile devices and keep them on their bodies at all times. Mobile devices contain all sorts of data, even if an organization prevents mobile devices from connecting to their corporate network. These devices are still capable of extracting sensitive information via camera and file transfers. The issue with organizations allowing mobile devices within their environment is the possibility of the device being lost or stolen, the potential of connecting to unsecured public wifi, various exposure to social engineering attempted (Via email and text message), and out-of-date operating systems.
https://auth0.com/blog/the-9-most-common-security-threats-to-mobile-devices-in-2021/
Vraj Patel says
Hey Kyuande,
The mobile devices are an important to consider when evaluating the security. As you have mention that individual connects their personal devices to the companies’ network. If they have not updated their devices and connect it with the company’s network, then it could be a threat to the companies’ network. As the attacker could gain an entry point through exploiting the vulnerability within those unpatched devices.