Security

Is cloud security an illusion?

I’m sitting here patching a server running Windows Server 2016 and waiting…and waiting…and waiting for the updates to install. Software updates usually apply much faster on later Windows Server versions like 2019 and 2022, but hey, not everyone can upgrade to the latest version, right? Anyway, as I am waiting for the update process to reach that magic 100% installed milestone so I can log on to the server again, I decide to take a quick stroll through the Twitterverse.

And what do I find? This little nugget:

https://twitter.com/x0rz/status/1431162379497246722?ref_src=twsrc%5Etfw" target="_blank" rel="noopener

There are some interesting truths hidden in that statement if you try unpacking it.

So, let’s try.

Risk management is a zero-sum game

A zero-sum, if I understand it correctly, is where one person winning means the other person has to lose something. It’s the very opposite of what the marketing world is always touting as “win-win solutions” that can make everybody happy.

And when it comes to managing risk in our IT profession, including cloud security, the idea is that you can’t really eliminate risk or even mitigate it — you can only transfer it. What one party (you, the customer) gains in reducing their risk exposure, the other party (your cybersecurity solutions vendor or security provider) loses by taking on the risk of keeping your infrastructure safe.

Well, I guess they don’t completely lose since you pay them money to do this. But that’s another zero-sum equation.

This is also why some businesses choose not to invest any serious money in safeguarding their IT infrastructure. Instead, they fork over some of their monies to an insurance company specializing in selling cybersecurity risk insurance, thus gaining confidence that they can recoup their losses if their business suffers from a cybersecurity breach. The insurance company, which is also really only interested in protecting its bottom line, charges a high enough premium so they are protected against significant revenue loss should they end up having to pay out their customer’s policy as a result of the breach — excluding, of course, all of the usual exclusion clauses of the typical insurance contract.

In other words, what I’m saying is that cyberthreat protection isn’t about innovative technologies or state-of-the-art solutions. It’s really just about saving money — like everything else in the business world.

How to avoid transferring all of your risk

Shutterstock

Putting all your eggs in the basket of your cybersecurity solution provider is an attractive idea, but it might be smart to keep a few eggs handy at your end in case the basket gets tipped over. How can you hang on then to some of your eggs?

One way when you’re negotiating an arrangement with a security solutions provider — especially where it involves using services provisioned from the cloud — is to ask them how you can gain more visibility into your assets running in their cloud. And perhaps, to a degree, into the underlying infrastructure the provider is using to host their cloud services. Are they patching their hosts — the systems they provision for running your virtualized workloads — according to a set schedule or workflow? You, the customer, should be in the know concerning this. Does the IT staff they have for maintaining their cloud infrastructure have more expertise and resources than your own IT personnel? You ought to be convinced of this before you let them assume responsibility for keeping infrastructure safely running after you migrate it to their cloud. Just because a cloud company is a lot bigger than you are doesn’t mean they’re smarter than you are from an IT perspective. Or more disciplined in managing processes. Or more diligent in dealing with situations when they arise.

Remember also that cybersecurity from a liability stance usually doesn’t only apply to two parties, in this case, your business and your cloud provider. There’s also the matter of your customers. If one of your customers entrusts their data with you and your provider’s solution doesn’t protect it and it gets stolen, you and the business may be facing a liability issue when your customer sues you. You might then try to transfer that liability by suing your cloud provider, but remember that in the end of such games, it’s usually only the lawyers who end up winning. Everybody else loses. It’s zero-sum again.

And don’t think that just because your cloud provider is much bigger than you that they must be spending lots of money on security, hardening their own cloud infrastructure through frequent auditing, pentesting, and offering bug-bounties. Because money is all that matters to them as well, so cutting corners is more common than you might think. Especially for huge, established companies that are trying to maintain their domination in the market.

It’s probably the startups, the innovative new cybersecurity vendors, who are most conscientious in making sure their services are hardened themselves from attack. Because they’re trying hard to build market share in a highly competitive field. But will they last? Will they be around two, five years from now, or be acquired by bigger less customer-responsive vendors?

So many questions, so few clear answers. Better go check if my server has finished patching…

Rats! Guess it’s time for another coffee.

Featured image: Shutterstock

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Share
Published by
Mitch Tulloch

Recent Posts

T-mobile's recent robocall report shows massive increase in 2021

Wireless service provider T-Mobile released a new report on robocalls. The report confirms the recent…

2 days ago

Overview of PowerShell versions and how to check what version you have?

PowerShell is one of the most popular scripting languages and it is installed by default…

2 days ago

TCP vs. UDP: Understanding the Limitations

TCP and UDP are two different protocols to handle data transfer. Both have their benefits…

3 days ago

Three ways to run .exe files in PowerShell

An executable file can have hundreds of different file extensions, and ".exe" is just one…

3 days ago

How to delete files and folders using PowerShell

Do you want to delete files and folders using PowerShell? We have you covered! Read…

4 days ago

The Major Barriers to SMB Cybersecurity

Small and medium-sized businesses (SMBs) are a less resistant target for cyber attackers. This is…

4 days ago