Is Your Cloud NIS2 Ready?

Cool. Right. So good afternoon everyone. My name is Mohamad Ana, I'm the media chief product officer and today I would like to talk to you about if whether is your cloud's gonna be missed already. Right.

Alright, so first of all, obviously we all know this, that cyber attacks are on the rise these days. A lot of companies, especially on the mid-size, mid mid-size companies, also enterprises as well have experienced cyber crime with 28% according to the European Union, less in 2021 for that.

And, and you have been aware as well that a lot of like even like universities, governments or banking are as well are affected by ransomware attacks. And according to IBM for example, that for each of the costs of data breaches or even like ransomware attack, it costs around four, 4.45 million as well. And this is basically the number of where the cause as well for like paying the fines as also like how, how you can remediate the breaches or also like to investigate as well.

The cost will add up as well as the, the bigger size of the, the the, the data that you are getting, you know, ransomware or like data breaches as well for that. And for that, that's starting with also with the needs two directive as well. So this is the new regulations from the European unions?

Well not, yeah. So it's an update from the the NIS first basically.

So, which is starting in January 20, 20, 23. The idea was that for, for companies as well who are operating in the critical and important sectors have to be not only secure but also resilience against, against cyber attacks, right? So technically there's a deadline for it, which is so in October and the companies as well have to be already already ready for this two before then otherwise then you'll get fined, which I'll explain it later as well for that.

However, from the chatter that I heard as well from the BSI or from other organization as well all around Europe as well, the deadline might be extended as well. So we do not know when when it's there. But however for the Germany itself, the deadline, it seems that there's already the draft ready that are being discussed within the parliament for that. And so when it comes to the minister directive as well, the rule of time is the following if your company is operating in the European Union in critical or important sector.

So as, as you can see there, the essential entities and important entities, the green ones are basically from the NIST directive, the old one and the blue one are actually the new one from the NIST two directive. And if you have more than 50 employees and 10 million euro total revenue, then you are gonna be affected by needs two.

Again, each country in the European Union might have different understanding as well of the needs two as well. So they might lower the number of employees or or total revenue or even like adding more sectors as well to be, that can be affected by NIUs. So we do not know until that it's actually been implemented for each country and in Germany alone accordingly as well. It is predicted that more than 10,000 companies are affected by NI two directive and they might not even realize it yet. The reason being is that it's not really popular to be honest with you.

I've been going to the events for FIC or any other cybersecurity events over the past year. 50% of them in Germany don't even know what is NI two. That's really concerning.

Yes, especially for the mid-size companies because they assume that they are not, they are not really important sectors and I think the definition of important sectors as well are really changing as well with the needs two directive. And also most of them as well are kind of like wait and see until the 17th October. So that's also the reasons why that it can happen. Yeah. So what are the consequences for those companies who are not, who are let's say non-compliant with the niche directive?

So obviously first one is talking about the money, the fine up to 2% of the global revenue or 10 million euros for that. And also another thing as well that you might be asked to do like security audit or compliance order by the government itself, if they identify you and then you can't, let's say prove that you are needs to compliant, then you are gonna be asked to do so and probably for this is something that's really scary as well for upper level management that they can't be sanctioned or they can get liable In this case for example, they can get managerial bans because of this, right?

So now talking about the cloud and the niche two directive as well, what's, what's, what's the connection here? Obviously for Nest two directive it is affecting for all company aspects basically not only for the cloud but also obviously identities, emails, hardware servers, all the firewalls, et cetera and so on. But obviously in here I'm just gonna be talking about the clouds and cloud especially nowadays people are migrating the cloud from from on-premise to the to the public cloud as well.

And the problem is that the nowadays as well, the 99% of the attacks happening on the cloud attacks actually happen due to human errors and configurations. And so that's actually the problem. So one of the thing for example is the model one for example this a couple of months ago and they got ransomware attack basically because of this kind of cyber attacks basically from the clouds, right? So in here I can't really explain much of like how to make the cloud needs to ready. This is just a taste basically of what you can do for it as well. There are six points I'm gonna talking about in here.

So first one as well that you as a company you have to understand as well what you're dealing with. What are your basically resources or what are your aspect that you have within your client infrastructure as well? 'cause the thing is that having this kind of like full feasibility of your cloud infrastructure is not easy.

For example, in AWS for example, if you wanted to know how many resources you have with within all your infrastructure, you have to go to each services and go to each regions basically and it's, and basically you have to repeat it over and over again and that's not easy to do so. And second one as well, you have to ensure that the cloud resources are correctly and securely configured. The reason being is that the default configuration is not the secure configuration.

You have to still enable the con the secure configuration by yourself because that is your responsibility as a cloud customers in this case that is a shared responsibility model that you actually have to do it for yourself, for your company to ensure everything is correctly configured. Another thing as well, which is probably something might be interesting for you guys as well, that that you have to implement as well these privileged principles as well. Ensuring that only authorized user are allowed to access authorized resources with limited privileges.

Another part as well is that you have to set up an adequate logging and monitoring as well to understand as well what happened, who access what was happening and so on. That's the case. It's not easy to do so 'cause the thing is that like, like cloud doesn't actually detect that doesn't even record everything and that's the problem as well that you actually have to be aware as well of like what's going on within your clouds.

And one of it is through the log activities and another one as well is that you have to also ensure that your cloud as well is gonna be resilience and ready against cyber attacks. You might do for example like penetration testing or you might do as well bridging the text simulation. The idea as well that you have to ensure that your cybersecurity strategy implemented in your cloud and your team are actually working and that's not easy to do. So otherwise then it's gonna be a problem.

So if you would like to know more about NI two and for the cloud security and how you can achieve it, check out our website and thank you so much. So the have any questions?

Okay, one obvious question if I may is yes, you're absolutely right, we're saying that it's actually still my responsibility in the shared model, but isn't it like a huge marketing opportunity for the cloud service providers to say we can actually make you these two compatible, just give us some more money or even for a third party security solution. So why aren't we seeing more of that? Well the thing is that it is, it is a big market as well and that's also what we are also doing as well basically.

But the problem is in the end is that many companies don't even, first of all it's about first of all understanding as well that they are actually affected by NI two then that's, that's the first thing that they don't know. And second thing as well that like imagine let's say the AWS for example have to ensure that every company has to be NI two compliant from from the com, from the customer side as well.

It'll require a lot of times for them to do so because like each of the customers basically has specific or unique infrastructure in this case and that's not gonna be easy to implement it as well because depending on the requirements as well regulation for example, right? So that's gonna be different from one company to another company and that makes it really unique and that's also like really big opportunity as well for you as well.

Especially here for example for with the identity companies as well that offering the services as well to offer like tailored solutions for them to make sure hey you're gonna be used to compliant for the identity part, why not? That's the case. So where do we, I mean the customers, those potentially affected company, where do they have to go now?

Like how, if you remember those years before when the GDPR just started, everybody was running around screaming like what do we do? Take my money but do something for me. So what's going on now with these two?

So, And this is really interesting one because again, because like right now for example the BSI, the German Federal Institute for Cybersecurity in this regard, they actually are releasing the draft and they are still basically like you can actually take a look at the Europe, the NI two directive from the European Union itself as well as the interpretation from the German law as well for that.

And you can basically try start going as well, first of all checking if I, if I'm gonna be affected by NI two, if not, if yes then you have to actually check everythings basically whatsoever in that case. So a good let's say rule of time for the, in this case is that like it's gonna be based on ISO 27 1. However you have to ensure and you have to be able to show that you have a continuous efforts for security and cyber resilience for all of your company's aspects. Basically ranging from the clouds even until the emails facing whatsoever.

You have to really show that hey I have this whole strategy ready, implemented continuously for my employees and for my cloud basically for that that's the case. Okay, thanks. Any further questions?

We do, Yeah. Hello. Thank you for the presentation. It was awesome. Isn't it the case like in the N two, especially in the mid-level size of the companies better to move fully into the cloud because at least from my knowledge from the next two it's better because you don't need to like solve the problems with the on-premise where is stored if it's like secure enough and et cetera because it's like needs to compliant needs to be like have the log room with like evidence with the keys from the, from the, from the server and et cetera.

So it's like better if if it's like midsize company that have like few servers to move fully to the cloud and because most of it's solving the shared responsibility model of the cloud solution and yeah, I'm basically need to like only cover the security and like management and stuff like that. Isn't it better to move full, fully moved into cloud?

Yeah, thanks very much for the question. Thank you. That's a really good questions that we also been questioning as well. So a lot of companies, why aren't you moving to the cloud? In example in here in Germany for example, many of the companies saying that oh we can't move to the cloud because we have, it's because of GDPR issues.

We have like customers data prior, you know, identifiable information of the customer itself and they are really scared to move to the cloud because they are afraid that they are gonna broke the law and something like that, which is not really, that's the case even like German government as well, they are actually actively trying to use AWS but again they are still in the testing mode as well and they're to see how they are actually moving to the, moving to the cloud. Even the German government as well are now implementing Kubernetes for example.

So for the on premise, the old, you know, hardware server basically for that and they try to use Kubernetes as well to make sure that it's gonna be cloud native in this regard. But again, it's still really lot, a lot of companies that I saw as well in Germany are moving to the cloud. But it's a really slow pace basically for that.

But again, it's a lot of companies are just afraid of GDPR issues in general because of that. And by the way, what about those sovereign clouds which are popping up everywhere now, will they sell solve this GDPR incompatibility somehow?

Yes, because they mostly in the end as well it is, it is solving half of the questions because again, like it is the data are gonna be stored within the European Union are and are not transferred to the US or Israel or wherever other countries in this case regard doesn't matter.

But the question is still that a lot of companies are still gonna be asking even for example, like I met with Italian cloud providers offering the European sovereign provider and they, a lot of German companies says, yeah, we want to have you but you have to create a server here in D Seldorf otherwise, and you want to make sure that the data is not gonna be transferred to Italy. We just wanted in Germany, that's all. And that's already making a lot of headache for them as well. That's because of the GDPR, but again it's already solving the issues of the GDR sovereign cloud as well.

Even AWS as well, having their new server as well in Brandenburg as a way to be European sovereign cloud as well. That's the case.

Okay, awesome. Well thanks a lot, ham. Thank you so much. Thank you.