It all began with Cupid falling asleep… Yes, it is a blog post on cybersecurity, and it will all make sense in a minute.
So, Cupid neglected his duties, falling asleep halfway through an important task of connecting cloud and earth… Venus, goddess of love and beauty (but also prosperity and victory, which we will equate with technology in this blog) falls in love with the handsome hunter Adonis.
Adonis, however, is somewhat unimpressed. First, due to Cupid’s negligence, no love-inducing arrow hit the hunter’s heart. Second, in modern behavioral economics terms, Adonis might be suffering from the status quo bias1.
As Venus is aware of a prophecy that Adonis might have a hunting accident, she implores him to stay. But Adonis is conservative: he won’t change his hunting routine. So he leaves … to never come back.
We at Autobahn Security find the moral of the story compelling: our choices matter, and we should never let the status quo bias influence vital decisions.
Let us now see how this classical status quo bias story connects with modern life.
In what follows, we will see how a failure to make decisions based on sound reasoning continues to be a source of trouble. In particular, the psychology of rejection of cloud adoption is strikingly similar to the Adonis and Venus story. Rejecting moving from on-premise to the cloud with all the modular and elastic benefits SaaS solutions can offer is based on the same type of irrational reasoning as rejecting a goddess in favor of a regular hunting routine. And would the rejecting party not be far better off if they embraced the obvious earlier?
The cloud is a global network of remote servers that operate as a single ecosystem. These servers are designed to store and manage data, run applications, and deliver content or services like productivity software, webmail, social media, or vulnerability management software. Instead of accessing data from a local computer, you can access it online from any web-enabled device anywhere anytime.
In our blog, when we talk about moving to the cloud, we mean having applications and data that you would normally run or store in on-premise networks being transferred to cloud providers or SaaS solutions.
As we are on a mission to expose the harmful consequences of the status quo bias, let us tackle the cloud migration topic from a cybersecurity perspective.
Let us face it: the shift to the cloud is probably one of the major technological advances of the last decade. And for sure it is there to stay. According to Verizon's 2021 Data Breach Investigations Report (DBIR), 72% of information security leaders state that cloud migration represents a top digital transformation priority.
While the shift to cloud-based services generally boosts business efficiencies, competitive advantages, and cost benefits, it also raises concerns. Many organizations are worried that if you go cloud, you lose control over the security of your data or hollow your IT (the so-called ‘learned helplessness’ issue).
To briefly address the latter, there is still abundant work to do for your IT department even if you choose the on-demand delivery model of the cloud or opt for a hybrid model (on-premise and cloud). How about configuring appropriate security controls for each application you lift to the cloud? And what is with managing the data life cycle? In other words, you are more secure as an organization as your security team can focus on different tasks to provide a more resilient IT service.
Moving on to advantages it is generally much easier to set up and configure SaaS cloud-based solutions. For example, it only takes you a few clicks to scan your external IT assets in a cloud-based vulnerability management platform. By contrast, an on-premise installation is more time-consuming and resource-intensive to implement and maintain.
Besides, keeping your systems updated is much easier if you are with a reputable cloud provider or if you use specialized SaaS solutions. (Needless to say, automatic patch management contributes nicely to your cyber health.)
In addition, using cloud providers, we get access to all the resources and learning materials regarding the best practices that have been battle-tested by big companies across the world. Why not leverage that knowledge to improve your security posture, hackability score, and other cyber metrics?
The hackability score, for example, is a useful KPI in vulnerability management that enables companies to measure their hackability, compare their organization to others, and track progress. It summarizes all the vulnerabilities an organization exposes to hackers in one single score. As part of a continuous process, it enables teams and organizations to make their efforts measurable and track their progress. For details, check this blog post: https://autobahn.security/blog/hackability-measured-2.
For companies that have not yet embraced the cloud, two interconnected challenges emerge:
The advantages of using SaaS offerings in the cloud are just too attractive to overlook. Let us take a deeper look into:
To begin with, public clouds provide perimeter security2 for the data stored within their data centers and compliance controls for infrastructure. It means that your cloud-based services might already be able to fulfill many important security functions. For a company that employs no cybersecurity experts to achieve the same level is already a huge challenge that involves a significant resource overhead. So why not let the giants like Amazon do the heavy lifting for you?
For layers that go beyond perimeter security, however, businesses still need to take charge of their continuous cloud application security. Admittedly, cloud security is a shared responsibility.
In terms of perimeter security, the status quo bias firmly holds ground. In most cases, to claim that a company’s in-house perimeter security surpasses that of AWS, Azure, or Google Cloud is wishful thinking.
Many customers report that network and infrastructure are often the primary aspects when they compare on-premise versus cloud-based services. If you opt to move your on-premise applications to the cloud, life becomes easier in terms of servers, load balancers, and routers to name just a few types of assets. Your public cloud provider simply takes care of all the equipment for you.
Many IT housekeeping activities like patch management will come out of the box if you transition from on-premise to cloud-based resources.
Another perk of cloud adoption is that cloud providers give you better visibility on logging and tracing out of the box, whereas on-premise setups might need additional configuration effort to achieve the same level of visibility. Just think how you would get all those alerts when a suspicious activity has been detected if it were not for the logs and services available to provide the data for your network and infrastructure.
Besides, IT teams usually need considerable time to prepare the infrastructure for the deployment of various on-premise solutions. By contrast, deploying similar functionality is much simpler if your company uses a cloud-based service. Often nothing must be prepared!
How to manage cloud-based security risks? There are many dedicated tools for this – for example, you can automate and integrate security in your DevOps workflows. Besides, you can secure your cloud from source to run, detect runtime threats, and validate compliance on AWS or similar container services. In addition, special tools and services exist that provide both software- and hardware-based encryption.
Two aspects are worth your time:
If you use a CSPM, prioritization management platforms can help you turn thousands of discovered security issues into a few dozens of cyber fitness workouts for efficient remediation.
Many governmental organizations already use this approach: they utilize a more isolated part of an AWS, Azure, or Google Cloud for better security. To illustrate, an Amazon Virtual Private Cloud (Amazon VPC) gives administrators the possibility to control a virtual network and to use an isolated section of the AWS cloud for extra protection.
As cloud technology evolves, SaaS tenant isolation architecture advances rapidly to let you achieve a scalable, secure, and cost-effective SaaS offering.
We at Autobahn Security believe it is better not to store vulnerability findings in the same on-premise network that is being scanned but instead in an entirely separated network and application: Autobahn Security’s cloud. We have private clouds (one per client) to help our customers feel more confident.
The cloud is agile in empowering almost everyone to integrate almost anything. Establishing seamless connectivity is the future of cloud-based solutions. In an era of digital transformation, businesses must integrate applications and data quickly.
To be able to connect cloud apps and hybrid integration flows across on-premise and cloud environments, however, is demanding in terms of cybersecurity. You are likely to need to secure more and more IT assets as your company grows. So, it is only wise to choose a SaaS platform with multiple integrations that will meet your needs.
To illustrate, a useful integration for vulnerability management tools is Jira. If Jira is integrated into your vulnerability prioritization workflow, you can send a ticket to Jira for tracking remediation progress. You can also orchestrate remediation measures for the right asset owners to fix the cyber issues detected by your vulnerability scanners.
Modern data centers are certified to the highest standard, so why not inherit the most comprehensive compliance controls with AWS, Azure, and GCP?
To illustrate, AWS supports more information security standards and compliance certifications than any other offering, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171. This bulletproof mix will undoubtedly make any regulatory agency around the globe happy.
The truth is that most SMB companies cannot match the cloud security compliance level of Amazon, Microsoft, or Google.
On regulations, many companies believe by default that they are not allowed to send their vulnerability management data to the cloud. This is simply not true. The transmission or processing of vulnerability data is not controlled by any laws and legal regulations.
On a similar note, many customers – especially in Germany – often ask this question: “Does my data stay in the country?” Autobahn Security can open cloud servers in the specific location you wish.
When someone thinks that hosting applications in the cloud is a security risk, it is an example of the status quo bias. Embracing the cloud is a business and technology necessity. Sooner or later any company will have to make the right choice and take decisions that are conducive to business growth.
For companies still in doubt about whether they should move the applications that they are running on-premise to the cloud or not, it is only a matter of time till the choice becomes critical. Since more and more apps and services are migrating to the cloud, most companies will have to be there eventually even if they keep their on-premise solutions. There will simply be more and more services that your on-premise infrastructure will be unable to provide. So why be late for the party if you are likely to attend anyway?
Two vital must-dos emerge for companies that do not wish to be left on the sidelines of technological progress:
Like Venus in the classical story, we respect our customer’s choice to refrain from embracing the cloud for now. However, we hope that they can reconsider.
And what about Cupid? Let us put an altruistic spin on the whole story, shall we? After all, it’s a best management practice to encourage better performance… He simply must send his love-inducing arrows to trigger love for the new cloud technology. We suggest waking the messenger of love up. Venus might throw one of her roses or lightly tickle Cupid till he wakes up…
Forward-looking businesses must embrace cloud and SaaS as the only viable alternative. The cloud offers much flexibility, allowing businesses to easily adapt to new challenges like the Covid pandemic and the need to make remote work more secure. With cloud adoption, companies can expand and try new strategies and products without investing in expensive equipment. Become global like Autobahn Security!
Autobahn Security is a security-by-design application that helps you cluster and prioritize cybersecurity issues. Our vulnerability management platform can help you distill several hundred thousand security issues from a vulnerability scanner and turn them into a dozen actionable workouts that your IT professionals will love. We have data encryption in transit and at rest, regularly pentest our applications and deploy role/permission-based access models to name just a few of our perks.