Introduction Previously we introduced the concept of cloud leaks, and then examined how they happen. Now we’ll take a look at why they matter. To understand the consequences of cloud leaks for the organizations involved, we should first take a close look at exactly what it is that’s being leaked. Then we can examine some of the traditional ways information has been exploited, as well as some new and future threats such data exposures pose.
When we examined the differences between breaches, attacks, hacks, and leaks, it wasn’t just an academic exercise. The way we think about this phenomenon affects the way we react to it. Put plainly: cloud leaks are an operational problem, not a security problem. Cloud leaks are not caused by external actors, but by operational gaps in the day-to-day work of the data handler. The processes by which companies create and maintain cloud storage must account for the risk of public exposure.
A funny thing that’s happened as the digitization of business has sped up in the last ten years is that process cadence has not done well in keeping up. Regulatory compliance standards often use quarters, or even years, as audit intervals, and in unregulated industries that interval can be yet longer. But in the data center, changes happen all the time, changing the risk profile of the business along with it. Determining which changes are the root cause of a problem can be the difference between fixing it and having it happen again.
The NERC CIP v5 standards will be enforced beginning in July of this year, but version 6 is already on the horizon. Previously, we examined the differences between v3 and v5, and we saw how the CIPs related to cybersecurity were evolving. This pattern continues in v6, with changes coming to some of the cyber CIPs and the addition of standards regarding “transient cyber assets and removable media,” but the major changes in v6 have to do with scope-- which facilities are required to comply, and at what level they must comply: low, medium or high impact. We’ll examine some of the differences coming up in CIPv6 and what they will mean for the industry.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.