Estimated reading time: 6 minutes
Accenture Security’s Managing Director, Vinod Shankar commented about Volume two of Accenture’s Cyber Threat report, “I think the report is pretty interesting this year, especially around the threats they have identified as trending upwards.”
Table of contents
The usual suspects are ransomware which has steadily continued before the pandemic, with no respite even in 2022.
Vinod described ransomware as being the topmost threat, followed by vulnerability exploits which we constantly see as exploit-based attacks, or zero-day attacks.
The third one is data leakage and data exfiltration whereby people steal information.
Vinod opined these three trends as repetitive of what’s happened previously. “But I think the key insight for me was the two new trends which we are seeing – supply chain attacks and cloud-centric toolsets.
Vinod described ransomware as being the topmost threat, followed by vulnerability exploits which we constantly see as exploit-based attacks, or zero-day attacks.
These are the two new areas which research has identified as upcoming trends.
Cloud-centric toolsets
Today, the cloud is moving towards widespread adoption. As a result, attackers are building toolsets for the cloud which can be used to attack cloud instances and cloud workloads.
“That’s the cloud-centric tool set which we are talking about here,” Vinod explained.
Because of how easy it is to scale up and scale down resources that power workloads, cyber attackers are also using the power of cloud to spread their entire attack surface.
So, the scope of compromise is not just operating systems. Rather it has become more abstracted at the cloud application-level with containers, and clouds and serverless code. That’s what the cloud-centric toolset is.
Zero Trust principles
Zero trust, is a concept or strategy that has been talked about for a long time, according to Vinod.
“But it’s been spoken about as an idea around network. Zero trust networks. That’s a term that has been there for over 20 years.
“With cloud, that definition is becoming irrelevant, for lack of a better word.
Above all, which party shall be responsible when there is a data breach?
“Now, it’s becoming cloud zero trust, cloud security, principles and strategies… the moment you put it on cloud, you are relying or expecting the cloud service providers like Azure, or AWS, or even Google, to provide a bit of security for you.”
That is not entirely the right expectation to have and organisations are quickly realising even though they move to the cloud, there is a huge amount of risk on who manages the data and who manages the underlying applications.
Above all, which party shall be responsible when there is a data breach?
That is not entirely the right expectation to have and organisations are quickly realising even though they move to the cloud, there is a huge amount of risk on who manages the data and who manages the underlying applications.
The zero trust concept becomes more relevant today because of this cloud era, and the need to have to always verify every single application, or infrastructure, or traffic that comes into an organisation’s cloud subscription.
Crucial to implement
If before, the focus had been on zero-trust networks, a much more complex environment consisting of on-premise and multiple different types of clouds, with IT resources being located centrally at organisations, or distributed across remote locations, necessitates zero trust to expand as an idea and as an implementation.
“Now, you need to focus on data, you need to focus on identity.
“But how do you ensure your identities are secured and always validated when you are moving across multiple cloud services?”
Another aspect is data, whereby organisations need to secure data that resides in different clouds by different vendors – how do you secure the data lineage from creation to transmission to storage on cloud, to securely distribute it to different partners and more.
This is a very important portion of cloud strategy.
Another aspect is data, whereby organisations need to secure data that resides in different clouds by different vendors – how do you secure the data lineage from creation to transmission to storage on cloud, to securely distribute it to different partners and more.
“Zero trust data becomes a very key aspect as well.”
Vinod pointed out how enterprises in Malaysia have adopted zero trust to be able to manage their multi-cloud environments. “Because their data is spread across several cloud service providers and they want to make it secure, along with applications they have deployed. So, they have adopted the zero trust principles.
“And it has been quite a shift in mindset and shift in strategy. But, the adoption is there.”
“Only if you have that leadership support and a lot of investment of (time and effort) can you bring about that cultural change.”
However, this is not necessarily the case for small and medium enterprises because it is an architecture change and a mindset change.
“Only if you have that leadership support and a lot of investment of (time and effort) can you bring about that cultural change.”
Shared responsibility
Vinod pointed out how for every cloud provider, shared responsibility tends to stop at the application and data layer.
“They say, ‘You are bringing the workloads, it’s your data, you need to secure it, right.’ “
“f you see the shared responsibility model, it takes care of the network, the data centre, your connectivity… they provide you all the services to implement your application and host your data.
But the underlying data and applications is not their responsibility to secure, but the customer’s to do so.
“If you’re moving your data to the cloud, it’s your job to secure it. If you’re moving your identities to the cloud, it’s your job to secure it.” Vinod said.
DevSecOps
DevSecOps is an approach that enables a developer and the development teams to embrace security as part of their design and development and build processes.
Vinod opined it is about shifting traditional businesses’ mindsets to think about security at the code writing stage, and to build apps with security considerations.
The operations component of DevSecOps comes when teams need to think about using tools to mitigate security risks that happen in the production environment.
“The development part is about building securely, but whatever gaps need to be fixed at the operations part of it, using traditional controls that the operations team has,” Vinod said.
Cyber resilience
It may be prudent to focus on recovering as soon as possible from cyber attacks, rather than defending and refusing to accept the possibility of a breach.
Vinod sees cyber resilience, as well as zero trust, and DevSecOps as being major trends moving forward.
Another major trend he wanted to point out also is the whole IoT threat landscape which is seeingan influx of Internet-connected devices.
“As IoT becomes more and more commonplace, we need to think about securing IoT devices, and providing assurance for this is going to become a major focus in coming days,” Vinod concluded
