I’m sitting here patching a server running Windows Server 2016 and waiting…and waiting…and waiting for the updates to install. Software updates usually apply much faster on later Windows Server versions like 2019 and 2022, but hey, not everyone can upgrade to the latest version, right? Anyway, as I am waiting for the update process to reach that magic 100% installed milestone so I can log on to the server again, I decide to take a quick stroll through the Twitterverse.
And what do I find? This little nugget:
Cloud security is an illusion. Transferring the risks doesn’t make them disappear. At best you’ll lose visibility and sleep better (but really, you shouldn’t). https://t.co/HeDWdnSntL
— x0rz (@x0rz) August 27, 2021
There are some interesting truths hidden in that statement if you try unpacking it.
So, let’s try.
Risk management is a zero-sum game
A zero-sum, if I understand it correctly, is where one person winning means the other person has to lose something. It’s the very opposite of what the marketing world is always touting as “win-win solutions” that can make everybody happy.
And when it comes to managing risk in our IT profession, including cloud security, the idea is that you can’t really eliminate risk or even mitigate it — you can only transfer it. What one party (you, the customer) gains in reducing their risk exposure, the other party (your cybersecurity solutions vendor or security provider) loses by taking on the risk of keeping your infrastructure safe.
Well, I guess they don’t completely lose since you pay them money to do this. But that’s another zero-sum equation.
This is also why some businesses choose not to invest any serious money in safeguarding their IT infrastructure. Instead, they fork over some of their monies to an insurance company specializing in selling cybersecurity risk insurance, thus gaining confidence that they can recoup their losses if their business suffers from a cybersecurity breach. The insurance company, which is also really only interested in protecting its bottom line, charges a high enough premium so they are protected against significant revenue loss should they end up having to pay out their customer’s policy as a result of the breach — excluding, of course, all of the usual exclusion clauses of the typical insurance contract.
In other words, what I’m saying is that cyberthreat protection isn’t about innovative technologies or state-of-the-art solutions. It’s really just about saving money — like everything else in the business world.
How to avoid transferring all of your risk
Putting all your eggs in the basket of your cybersecurity solution provider is an attractive idea, but it might be smart to keep a few eggs handy at your end in case the basket gets tipped over. How can you hang on then to some of your eggs?
One way when you’re negotiating an arrangement with a security solutions provider — especially where it involves using services provisioned from the cloud — is to ask them how you can gain more visibility into your assets running in their cloud. And perhaps, to a degree, into the underlying infrastructure the provider is using to host their cloud services. Are they patching their hosts — the systems they provision for running your virtualized workloads — according to a set schedule or workflow? You, the customer, should be in the know concerning this. Does the IT staff they have for maintaining their cloud infrastructure have more expertise and resources than your own IT personnel? You ought to be convinced of this before you let them assume responsibility for keeping infrastructure safely running after you migrate it to their cloud. Just because a cloud company is a lot bigger than you are doesn’t mean they’re smarter than you are from an IT perspective. Or more disciplined in managing processes. Or more diligent in dealing with situations when they arise.
Remember also that cybersecurity from a liability stance usually doesn’t only apply to two parties, in this case, your business and your cloud provider. There’s also the matter of your customers. If one of your customers entrusts their data with you and your provider’s solution doesn’t protect it and it gets stolen, you and the business may be facing a liability issue when your customer sues you. You might then try to transfer that liability by suing your cloud provider, but remember that in the end of such games, it’s usually only the lawyers who end up winning. Everybody else loses. It’s zero-sum again.
And don’t think that just because your cloud provider is much bigger than you that they must be spending lots of money on security, hardening their own cloud infrastructure through frequent auditing, pentesting, and offering bug-bounties. Because money is all that matters to them as well, so cutting corners is more common than you might think. Especially for huge, established companies that are trying to maintain their domination in the market.
It’s probably the startups, the innovative new cybersecurity vendors, who are most conscientious in making sure their services are hardened themselves from attack. Because they’re trying hard to build market share in a highly competitive field. But will they last? Will they be around two, five years from now, or be acquired by bigger less customer-responsive vendors?
So many questions, so few clear answers. Better go check if my server has finished patching…
Rats! Guess it’s time for another coffee.
Featured image: Shutterstock