15th September 2020
Cloud Security (9)
In an ever-evolving maritime world, where technology is advancing and customer requirements are growing, cloud computing is widely seen as the way forward and offers real benefits and efficiencies around easy implementation, sharing of information and of course, integration. Although, something we need to consider when operating this kind of technology is, how to stay abreast of cloud security to ensure the safety of data and continuity of our comms?
Cloud security broadly refers to the plethora of ways we can manage the overall security of our cloud-based technologies, including which applications, tools and controls we put in place to deliver protection. Think people, policies, and processes.
Firstly, you need to get into the detail of your cloud infrastructure and understand your suppliers shared responsibility model. Your provider will take responsibility for providing some level of security, but not all security will be managed by them. It’s an easily made, but fundamental misunderstanding that your provider will be taking care of all aspects of your cloud security and as a result crucial parts of internal policy may be missed. This presents a level of unnecessary risk and vulnerability for your organisation.
Once you have a grip of your responsibility for cloud security across your infrastructure, it is key to set a cloud security baseline. This baseline should define your cloud infrastructure and review what security you would like to embed, plus what needs to be done to keep this updated and of course, who will be responsible for this? Your baseline should be documented and circulated to stakeholders in the process, reviewed regularly and you should also consider training to get your teams up to speed, or refresh their knowledge.
Probably one of the most obvious ways to ensure cloud security is to address your internal password policy and that of your suppliers. Passwords are now used to access computers, mobile devices, applications, networks and operating systems – they are part of our everyday life. Although do you actively consider the length of your password, the use of special characters and upper and lower case on board your vessels? How often are these passwords changed on board? Are they written down and perhaps in view for “ease”?
Interestingly, official guidelines and schools of thoughts around password setting can change quickly, and often, as demonstrated recently by the National Institute of Standards and Technology (NIST). Current recommendations set by NIST are now:
- Set the maximum password length to at least 64 characters.
- Skip character composition rules as they are an unnecessary burden for end-users.
- Allow copy and paste functionality in password fields to facilitate the use of password managers.
- Allow the use of all printable ASCII characters as well as all UNICODE characters (including emojis).
The major update here is in the focus on the maximum length of your passwords now being at least 64 characters. This switch in approach demonstrates perfectly that password policies need to evolve as we learn more about how people use and abuse them.
Multi-Factor Authentication (MFA) is a term widely used in technology circles and increasingly within the maritime industry when discussing accessibility to systems. Most suppliers have become overtly aware of cyber threats advancing and getting more sophisticated in recent years and as such have engaged with this method of authentication to increase levels of security around access. When we talk about MFA, we are referring to a security feature that requires more than one method of authentication to verify the user’s identity. Within GTMaritime we apply this to the accessibility of our cloud-based Archive, which often includes sensitive information. We store up to 7 years worth of rolling data for vessels using our GTMailPlus email solution and in order to gain access to the Archive, approved users must access our management dashboard with their standard login details (first level of authentication). Here they submit an archive search request and are prompted for a one time user code. This code will be emailed to the registered email address ready for receipt by the user (second level of authentication). The code expires once used and is valid until midnight that day.
When looking at password setting and considering access rights to cloud-based technology, we should also aim to implement a least privilege approach. By operating this way as standard, you are offering the bare minimum access and functionality required to complete a task. It is the difference between having a key which opens every door and a key which only opens certain necessary doors. This approach helps to mitigate the risk of illegitimate access by cyber attackers, which in turn reduces the overall attack surface and helps to limit malware propagation. In the event of an attack, by trimming down the areas or levels of your platform or infrastructure that hackers can access, you can effectively limit the potential damage caused. It’s a no brainer! To ensure you are across the access to your platform, it is suggested you undertake regular monitoring and audits of access to ensure that has been no unauthorised access or attempts to access.
Another major element of cloud security and something which can be widely overlooked are back-ups. To really enhance your cloud security, you should back up your data frequently and consider this process part of your standard operating procedure, to ensure any archived data is up to date, can be retrieved readily and fuss free. For some maritime programmes back ups are now a firm requirement to adhere to compliance regulations. If we looked at your on board ECDIS, VDR and Cyber Security systems as examples, all now have guidelines in place by bodies such as the IMO pertaining to back ups and how they are crucial for the proficiency of your business operation.
Let’s look a little more closely at back ups and remove any confusion between backing up and syncing. Cloud- syncing is a fairly simple functionality which allows for data or files to be synchronised across multiple machines for example, but this will not help in an IT emergency whereby you are attempting to roll back or retrieve deleted documentation. To give this more context, at GTMaritime we view back ups in two ways, both of which we believe to be fundamental for cloud-based security across our entire product suite. Firstly, we operate our virtual servers out of multiple locations for redundancy, meaning the data is backed up regularly and therefore highly available, even in case of a disaster so we can ensure the continuity of our customer operations. The second way we deal with back ups is within our customer environments, to deliver reassurances around the integrity of data. In this scenario, daily back-ups of the data are taken automatically and encrypted for utmost security.
Test, test, test. Security testing is crucial to deliver security assurances across your cloud environment. A penetration test is one of the most common kind of security testing, defined as a specialised type of technical assessment conducted on information systems to identify vulnerabilities which could be exploited by adversaries. This kind of test is often used not only to identify weaknesses but also to assess resistance to weakness within an organisation. It is recommended that if you are using providers to deliver cloud technology, they should be undertaking this testing regularly and as the customer you must stay abreast of the results. If weaknesses are identified what are they doing to fix this and across what sort of time frame? It’s vital to know that the security of your cloud environment is managed proactively. In our maritime world, day to day operations can be hard enough taking into consideration remote environments and volatile connections; so, when choosing your cloud providers, it is important to ensure they can offer you full reassurance about the service, to maintain continuity and enable you to focus on the task at hand.
This articles covers just a small number of ways we can manage cloud security, the key to is to keep cloud security at the fore front of our minds, review new advice and guidelines, be prepared to make changes to policy to stay ahead of the evolving threat landscape. If unsure, don’t hesitate to seek advice from your suppliers and subject matter experts.