The Myth of Cloud Insecurity

October 31st, 2017 | Posted by Alexa Magdalenski in Capital Cybersecurity Summit | Cloud | Guest Blogs - (Comments Off)

Telos Corporation CEO and Chairman of the Board John Wood addresses cloud security in his new guest blog. Wood will be moderating the State of Cloud Security and Compliance panel at the Capital Cybersecurity Summit on Nov. 14-15 at The Ritz-Carlton, Tysons Corner.


John-WoodIt’s not exactly clear when the term “cloud” was first used to describe shared pools for configurable IT resources. However, it’s safe to say that it started creeping into our lexicon less than ten years ago.

Back then, the official definition of cloud was even less clear than it is today. Regardless of what the cloud actually was, this mysterious cloud entity was widely assumed to be unsafe.

That said, even from the beginning, I saw that the cloud offered many security advantages, especially to smaller companies that couldn’t afford to make infrastructure investments and hire many highly-skilled staff to manage complex IT systems in their own on-premises data centers. Still, doubts about cloud security swirled.

But in 2014, a crazy thing happened. Defying conventional wisdom, the CIA, arguably the most security conscious organization in the world, announced their plan to work with Amazon Web Services (AWS) to adopt commercial cloud services. Shortly thereafter, C2S was born.

Even though countless other agencies had already adopted the cloud by 2014 – the CIA and C2S gave the cloud instant credibility. It made federal agencies and highly-regulated commercial organizations realize that if cloud technology is good enough, and secure enough for the CIA, then it must be secure enough for them. Granted, the C2S is an isolated environment, it was noteworthy that CIA made the often trumpeted “cloud first” policy a reality.

AWS recognized early on that security was important to ensure continued, widespread adoption of cloud services. For this purpose they introduced a shared responsibility model to help explain the security benefits you derive simply by hosting your workloads within AWS. Under this model, the customer is responsible for security in the cloud, and AWS is responsible for security of the cloud.

Not only does this shared responsibility model help address a number of security questions, especially in the areas of infrastructure and physical security, it also helps clients demonstrate compliance requirements more quickly and efficiently, because they can inherit results directly from AWS.

AWS certainly isn’t the only cloud service provider (CSP) in the game – Azure and Google also understand how important the message of cloud security and compliance is to drive further cloud adoption.

Despite all of this it is essential for organizations to understand the potential security pitfalls of cloud adoption. It’s essential to know where your cloud service provider responsibility stops and customer responsibility starts. There have been a number of recent breaches resulting from unsecured cloud-based database deployments. Customers need to understand, and take seriously, their responsibility in protecting their systems, their applications and their data.

The cloud has come a long way over the last ten years. Much progress has been made to enhance security and promote these security and compliance benefits. However, there is still work to be done to address lingering security concerns, questions and perceptions to help drive even broader adoption of cloud services.

If you’d like to hear what CSPs have to say about the myth of cloud insecurity, join me on Wednesday, November 15 at NVTC’s Capital Cybersecurity Summit. I will be moderating a panel that will discuss the current state of cloud security and compliance, featuring prominent voices from the big three cloud providers: Google, Microsoft and AWS. I hope to see you there!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

National security is now the number one security concern for Americans, according to the recently-released global 2017 Unisys Security Index, replacing financial security as the top fear from the 2014 survey. Americans’ concerns about internet security, specifically viruses and hacking, rose most dramatically over the last three years, coming in as the number two security concern in this year’s index.

In a world more interconnected by technology than ever, the cyber threat landscape has never been more daunting. Alarmingly, one in three website visitors last year were attack bots and over 94 percent of 100,000 websites analyzed over a 90-day survey period experienced at least one bot attack, according to Imperva’s Bot Traffic Report 2016. Companies and agencies at the frontline of protecting the country and consumers from cyber-attack face countless challenges beyond the cybersecurity threats themselves.

2017 Cybersecurity Infographic v102317

NVTC 2017 Cybersecurity SitRep

NVTC’s newest infographic provides an updated look into NVTC members’ cybersecurity hiring and resource allocation trends while reiterating the key takeaway of last year’s cyber infographic: The human element exposes us to the greatest cyber risk, from cyber talent to employee training to insider threats.

Acquiring top cyber talent remains a priority to NVTC members, with 50 percent reporting they will hire cyber professionals over the next 12 months, a five percent decrease from last year. Employee training is the single greatest focus for our members with 50 percent reporting it as their greatest cyber resource allocation, while 42 percent are targeting a technical solution first. The human element – both human error and insider threats – was acknowledged as the greatest cyber threat facing the country today.

Cybersecurity Talent Gap Continues to Widen in 2017

Organizations are experiencing tremendous difficulties filling cybersecurity positions and retaining skilled talent in these positions. By 2022, it is predicted there will be a shortfall of 1.8 million cybersecurity professionals in the U.S. In Greater Washington alone, there are over 44,000 open cybersecurity positions.

The 50 percent of NVTC members reporting cyber hiring needs are in stiff competition to attract the cyber talent with the experience, skills and certifications they require to be competitive in today’s marketplace. Local tech employers are looking for creative ways to engage new talent pools to fill their cyber workforces, using models such as NVTC’s own Tech Talent Employer Collective, which uses the U.S. Chamber of Commerce Foundation’s Talent Pipeline Management methodology to put employers into the driver’s seat, setting the workforce development requirements around shared employer needs.

Cybersecurity Venture Funding In the Region Remains Steady

While it is unlikely we will again see cyber ventures play such an outsized role in venture funding such as in 2015 when 46 percent of all funding went to cybersecurity services and products, a steady stream of cyber venture funding continues in Greater Washington, with $210 million collected in calendar year 2016 and $173.2 million from Q4 2016 through Q3 2017.

This support network, including incubators and innovators from MACH37 to In-Q-Tel to CYBERCOM at Ft. Meade, enables a community with innovation capacity and the agility to rapidly evolve to meet the ever-growing cyber threat.

Evolving Cyber Threat Vectors

Internet crimes reported to the FBI’s Internet Crime Complaint Center (IC3) in 2016 represented more than $1.3 billion in losses. Those nearly 300,000 reported crimes are only estimated to be 15 percent of all internet crimes that took place. This year’s numbers so far show that things continue to rise – distributed denial of service (DDoS) attacks alone showed a 380 percent increase in Q1 2017 over Q1 2016.

Even with the rise of more sophisticated bot attacks and ransomware, 63 percent of NVTC members rank the human element as the cyber threat requiring their greatest focus. A recent study on email threats estimates that one in four emails appearing to come from a dot-gov domain is a phishing attempt and three out of four organizations reported being the victim of a phishing attack in 2016.

The threat landscape seems even more ominous when you add in the increasing sophistication of the methods used in spear phishing, a more targeted attack that often spoofs more realistic identities known to the victim; the days of being asked to help move royal gold reserves out of Africa are being replaced by seemingly innocuous requests from “Randy in accounting” to take a look at an attached spreadsheet. Despite this increasing threat, progress is being made through awareness and training programs teaching how to stay secure and safe in the current environment, an approach being adopted by all industry sectors, not just IT.

Community Threats Need a Community Response

We are lucky to reside in the nation’s cyber capital, where the resources and environment support cyber innovation and where the nation’s most qualified cyber workforce lives and works. Perhaps Greater Washington’s biggest advantage in cybersecurity is the collaboration happening in the region. Each day stakeholders from the private, public, incubator and academic communities come together to work on the biggest cyber threats.

To deepen cyber collaboration in the region, NVTC will be hosting the second annual Capital Cybersecurity Summit on November 14-15, 2017 at The Ritz-Carlton, Tysons Corner. At the Summit, the nation’s cyber leaders will share their unique insights and best practices into topics such as attracting top cyber talent, cloud security, cyber risk management, strengthening cybersecurity through public-private partnerships and more. Attendees will have unmatched networking opportunities to discuss their latest innovations and the cyber challenges they face. Get the latest Summit agenda here.

View NVTC’s 2017 cybersecurity infographic at www.NVTC.org/2017CybersecurityInfographic

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS