Phishing, ransomware, data leaks... it seems that the cybersecurity news is getting busier and busier. What is the real level of threat, and what should we be most concerned about in this period of uncertainty marked by the Covid-19 epidemic? How can a company combine security and data control when choosing its information system?
Overview of cyber threats
The European Network and Information Security Agency (ENISA) provides some very interesting information on this subject in its annual report, ENISA Threat Landscapefreely downloadable from the Internet.
The key element of this document is the top 15 cyber threats over the period January 2019 to April 2020.
Let's look at the first three, and therefore the three most important:
- Malware Cryptomining, worms, viruses, spyware and more continue to top the 2018 report. However, new trends are emerging:
- a change in targets (businesses rather than consumers),
- the distribution of malware-as-a-service (sale on the dark web of packages including infrastructure and malicious code),
- the increasing sophistication of infection mechanisms.
- Web attacks A wide range of compromise vectors, including :
- URLs designed to trap victims,
- injections of malicious code into legitimate but compromised sites,
- web browser exploits.
The Content Management Systems (CMS) remain an ideal target for attempts to exploit vulnerabilities, due to their popularity.
- Phishing Phishing: an ancient but formidable technique, it exploits human weaknesses to steal data or extract money. The Covid-19 pandemic saw a surge in phishing attempts, mainly through e-mails with Microsoft Office documents attached.
Faced with this worrying panorama, what choices do businesses have to protect their data and deal with the threats? This is a very broad question, which this article examines from the specific angle of the information systems deployment model.
Which information system is right for cyber security?
Four choices are examined: on-premise, private cloud, public cloud and hybrid cloud. It's worth noting that the choice of the public cloud seems paradoxical: isn't it a mistake to put your data in a cloud open to the general public and managed by non-European multinationals?
The question is not as simple as it seems.
So let's take a look at the advantages and disadvantages of each choice.
On-premise
The company deploys its information system on self-hosted infrastructures, either in its own data centres for larger entities or in server rooms set up for SMEs.
The attractive factor in this choice is undoubtedly the full control exercised over the data: no questions asked about its location and complete control over physical and logical access. The downside is that building your own infrastructure requires considerable investment (CAPEX), with the risk of ending up with obsolete equipment after a few years. It also requires specialist skills, which are not always easy to acquire. It's not easy to achieve the same level of quality and security as hosting pure players!
Private Cloud
The company uses the infrastructure provided by a cloud provider, with whom it signs a service contract tailored to its needs. In this case, the choice is generally for a sovereign cloud, which hosts and processes data on national territory.
The advantage of this model lies in the control that customers gain over the location of their data, while being relieved of the 'hassle' of building their own infrastructure.
Of course, not all providers are equal in terms of security. That's why it's worth looking at their level of certification. The 'bare minimum' is ISO 27001. But the most demanding is SecNumCloud, the French standard published by the Agence nationale de la sécurité des systèmes d'information (ANSSI). SecNumCloud requires qualified service providers to store and administer data in France.
So what are the disadvantages of this choice?
Perhaps most importantly, private clouds are still some way behind public clouds in terms of automation, elasticity and self-service provisioning.
Public cloud
The company is turning to offerings from players such as Amazon Web Services (AWS), Microsoft Azure, Google and others. Cloud or Alibaba Cloud.
Why turn to these foreign behemoths with their fixed terms of service, against whom the balance of power is inevitably unfavourable? The answer lies in the richness of their service offering and the agility they allow with Infrastructure as Code techniques: deploying complex architectures becomes almost like pushing a button.
So what about security? Well, these giants, aware that this is the main factor holding back their adoption, invest billions every year in this area and collect security certifications.
Hybrid Cloud
The company is trying to take advantage of the best of the different worlds, for example by hosting the most sensitive business data on-premise or on a sovereign private cloud, and by adopting a public cloud to rapidly develop innovative applications. In this case, interoperability is the main challenge, along with the complexity of managing a multi-cloud information system.
So what should you choose?
Clearly, there is no single best choice in absolute terms, as each company has its own specific characteristics in terms of market, business requirements, legal and regulatory constraints and so on.
The most appropriate approach would be to use a risk assessment method to guide you through the various possibilities, the French reference being EBIOS Risk Manager.
From my point of view, I would nevertheless advise you to study the hybridisation option described above carefully, with the help of a trusted service provider.
Would you like to discuss it? Share your thoughts with us? Contact us.