In this exclusive interview Asia-Pacific-based cloud security architect and cyber security consultant Mayank Sharma shares key insights on cloud migration and how to manage an Internet of Things (IoT) cyber security strategy.
Cyber Security Hub: What steps should be considered when migrating critical infrastructure to cloud?
Mayank Sharma: Firstly, look at what you want to achieve with cloud, which could be adding more automation, intelligent decision-making or introducing predictive analytics. Finding this business need is perhaps the most important step of the process. During this step, engage the business stakeholders, IT managers and enterprise architects. When you know what you want to create, research the services cloud can offer to support you in achieving this goal. This ‘vision’ is the key document which drives all the future work.
Secondly, create a strategy for critical infrastructure in cloud based upon the business requirements. This should include items such as capabilities that will exist in the cloud for critical infrastructure. Your strategy development should include:
- A regulatory assessment (for example, privacy or any other regulation that applies).
- A security assessment.
- A security operating model.
- A governance framework.
While developing the strategies research about if your cloud security solution will have the same security capabilities as your current on-prem environment. One should also consider what new threats are introduced as a part of moving to the cloud, threat model them and see if mitigated threats are within the risk appetite of the business. If it falls outside of risk appetite, then consider what extra efforts will be required to bring it within the risk appetite.
Thirdly, create a migration plan. This is a more detailed version of various elements involved in migration activity. An iterative approach is always better than a ‘big bang’ approach so try not to be overly ambitious and move all your infrastructure at once. A phased migration beginning with less critical assets is always preferable. Also assess the overall security of this migration plan.
Finally, continuously review the cloud landscape to ensure that it remains secure, reliable and cost-effective. Conduct regular security and compliance audits to ensure that the infrastructure meets regulatory requirements and industry best practices. Cloud is much more dynamic than traditional on-premises infrastructure so continue to assess new services and develop a robust service enablement process to onboard any new services quickly.
“In short, IoT has rewritten the rule book.”
CSH: What challenges are cyber security professionals likely to face from the Internet of Things (IoT) 4.0?
MS: In short, IoT has rewritten the rule book. The challenges are two pronged; first is the amount of data that is being collected. These devices are in peoples’ homes or being worn by them and are checking their movements and collecting sensitive data such as private health data. This information is often sent to cloud to provide meaningful analytics to the end users or to feed into critical business processes. This information is extremely sensitive in nature and must be handled with care.
Secondly, traditionally the device onboarding in a large organization is an exhaustive process, however with these wide-ranging devices (from TV to smartphones, to sunglasses, to smart watches) it is extremely challenging to create a cohesive strategy for all types of IoT devices.
IoT has disrupted critical infrastructure even more! Historically, the Purdue model is the go-to model for industrial control systems and operational technologies (OT). It segments the different processes in different networks and ensures security is maintained by firewalling the different segments. It also includes a very rigid network separation between OT and IT systems.
IoT 4.0 disrupted this security model. Purdue cannot natively integrate with cloud systems and IoT 4.0 – or industrial IoT – also blurs the line between IT and OT. So, the security controls by means of network segmentation are no longer valid with IoT 4.0. What makes things trickier, is that typically industrial systems are designed for a very long life, in the order of decades, and may incorporate protocols can become vulnerable over this time.
Connection with IT and cloud provides an attack surface to a threat actor to exploit these vulnerabilities. Needless to say, people can suffer physical harm from a compromised industrial system, so the stakes are very high.
CSH: How can cyber security professionals create and manage an IoT cyber security strategy?
MS: IoT is a rapidly growing field that is disrupting the way organizations operate and interact with their environments. As more devices become connected, it is increasingly important for organizations to have a clear understanding of the strategic need for IoT and to develop a comprehensive security strategy to protect against potential threats.
The first element of the strategy is creating a strategy about the IOT devices themselves. This should cover how the devices will be onboarded, while how they will be deployed and maintained (for example, firmware upgrades and decommissioning) should be discussed during this step. Physical security of these devices should be reviewed in this phase. Finally, how much data should be collected should also be discussed in detail when creating a strategy about IOT devices.
Second element of the strategy is analytics. This step primarily deals with the security of analytics engine where meaningful information is derived from the signal received from IOT devices. Data security and user privacy should be reviewed in this step.
Third element is the integration. This element primarily deals with security of integration between analytics engine and other business systems.
While developing the security strategy of devices, analytics engine and integration, delve into the security domains of authentication and authorization (e.g., how devices will authenticate with the organization and ensuring that only authorized devices can access the network).
All data transmitted should be encrypted using resilient encryption algorithms to prevent unauthorized access and “eavesdropping”. Data protection, data access controls and data deletion policies should be implemented to ensure that data is protected at all times. As the organization matures, security patterns can be developed to reuse in-house capabilities and further enhance the security of the IoT network.
“Imagine the consequences of an out-of-control AI model to an organization!”
CSH: How can organizations create an AI strategy for the cloud?
MS: The field of artificial intelligence (AI) is rapidly evolving and has the potential to transform businesses across various industries. The introduction of AI, however, also poses significant risks, particularly if the AI model is not properly managed or if it malfunctions.
Imagine the consequences of an out-of-control AI model to an organization!
To mitigate these risks, business leaders must ensure that AI is developed with adherence to secure development practices; using high quality data when training the AI model and ongoing governance will ensure that the model remains trustworthy and free of bias.
Development of a well-defined AI strategy should be based on these three principles. To begin with, it is important to identify:
- The context in which AI will be used.
- The amount of risk the organization is willing to take.
- The risks associated with the introduction of AI systems.
These risks should then be assessed and appropriate mitigating control should be introduced. Lastly a matrix should be developed to effectively monitor key risk indicators (KRIs) and key performance indicators (KPIs).
Overall, a well-defined AI strategy is essential for businesses to maximize the potential of AI while mitigating risks. A good resource on this matter is the AI Risk Management Framework by the National Institute of Standards and Technology (NIST).