KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
I I'm going to talk about the, the, how we perceive cyber security risks and how that applies to, to, to cloud security and what we learned in the last few years, if I have, if I had to give some background story for myself, I think the, the camera shot would be me walking into the elevator and first pressing the close the doors button before I press the level, because that's a tiny bit faster. So I have the, the tension between security and efficiency within myself.
So I, I, that's been one of the key things for me to try to understand how can we be secure and in a way that we are not hampering innovation and, and we can move fast. And in that, the hard question is I think is, is understanding what's the right amount of security. And I think that's a data problem.
And, and I think we have issues there just to, just to give you an idea. I think the things you've seen for the last few days is, is maybe mark getting hacked, ran somewhere 50 million. The problem is that what we are not going to see is how much they actually end up paying, because usually we see how much they demand, but usually because insurance companies are highly incentivized to lower those amounts, they will actually get a much lower amount.
Actually, the interesting statistic there, if I, if I get this right from the top of my head from, from last year, the average loss from, from the ransonware attack has been about like 2.8 million. And from that, the ssom was 200,000.
The left, the rest went to people like me in cyber security and, and marketing and everybody else. What do I mean when I say people like me in cyber security? So I'm coming from a technical background, pen testing and, and exploitation, and eventually went into what is now known as, as DevOp and, and been a consultant for, for fintechs and startups, usually building up their, their cybersecurity program, risk management and, and implementing some of these and, and getting their teams up to speed and, and, and getting their teams on board.
Currently, I'm, I'm doing this for, for rail digital, as an employee. I'm the head of it, security there, you might probably not have heard about the company, but this is the, the, the small group of people that are behind Coughlin de. So as you might guess, it's part of a, a bigger retail group.
And, and we are focusing on their, their online shop, which has tens of millions of active users. So it's, it's a, it's a pretty big marketplace by now at the same time on top of DevOp and security strategy. As I said, my, my main focus been trying to find the right amount of security and, and understanding what, what justified security would look like.
That's, that's what I do in one of my site projects that I'm shamelessly plugging here in the wild.io, where we are giving alerts on, on exploited vulnerabilities. So people know what to look out for. Why do I think that there's a data problem?
I, I think it's, it looks obvious. Risk equals likelihood times impact. The problem is that there's very little feedback.
Luckily, we don't get hacked too often. And especially, we don't know about the other side. We don't know why we don't get hacked. Is it because we, we built up some, some really great technical controls, or because we got lucky or nobody actually tries to exploit those problems. And on top of that, we got all the, the availability and confirmation bias that comes from all these media sources that is even coming on top of this.
Like, if you're starting a security company now just research, nice vulnerability, and then you're going to get instant publicity. I, I highly recommend one thing that really changed my life in it.
Security, reading more CoreMark Harley he's, he's digging into deaths and, and he's been one of the instrumental people behind making best policies simpler. Because over time we understood like complexity requirements actually don't help security, but it actually hampers it.
So what's, what's the data about cloud. Luckily, we got similar data that, that we had from, from, from, from the password complexity questions. So now we know what actually happened. I did quite some research to figure out what we were afraid in the beginning. I think Esri been around for, for over 15 years now. Obviously some of our worries did totally pan out, and I'm not going to go into a lot of details, but I tried to give you here is a few examples and some of the overarching patterns that you can use to, to make better decisions when you have to make your cybersecurity investments.
So the things that we expected to happen that never happened are, are attacks on cyber or, or physical security, getting attackers, getting the hands on devices that AWS runs your servers on, or, or even insider attacks by employees of, of, of these cloud service providers. There's not been a major breach that is related to that, or, or, or later on attack against virtualization and spectra and meltdown came, came down, cross that into text and attack against virtualization was a big fear.
Again, like no large scale breach really ever happened based on that, what things really happen is, is silly. Misconfigurations I think like everybody's ban is all the, the misconfigured cloud storage. That's been plaguing all the, the cloud solutions and, and publicly available databases and, and classic account compromise. Now it's like more access access tokens and, and admin accounts, but it's pretty much the same that we've seen before.
So what, what does it say about expectations that you should have about cloud security expectation? Number one, and I, I recognize the second part might be a bit contentious, but complex at X rarely happen because cyber crime doesn't really pay what I mean by that.
And, and I, I think there's an asterisks were there for all the ransomware people, but the, but the larger story, I think, I don't know if you're aware of this, but GitLab had the vulnerability a few months ago that allowed attackers to, to hack the source code repositories. If you spend a minute thinking about like what what's, what could happen if somebody hacked your source code repository, if you has have as colorful imagination and as much paranoia as I have, then that it's the end of the world, but really happened is that they used it in a botnet.
So it turns out like they, they cannot really easily monetize a number of these attacks and similar thing, it's not really a hack, but, but good luck explaining that to, to the journalists and, and fair. And with all fairness, it's also not great for your users. So LinkedIn's data got leaked because some people scraped LinkedIn and just got, got all the phone numbers and email addresses out of it. 97% of LinkedIn user data. If you had to guess how much it worth, they were asking $5,000 for it. So it's not a lot of money.
I don't think that anybody would really want to spend their weekend trying to, to scrape LinkedIn for, for that type of money. The, the other thing is that we got all these nice graphs of, of the responsibility models of cloud. Like that doesn't really matter for the attackers, if their attacks still work, like they going to not be incentivized to do anything else, they're probably just going to stick to the attacks that are already there. So I would say baseline assumption that more of the same is going to happen in new places seems to, seems to pan out in cloud security.
I wanted to talk a bit about the, the other part that you should keep in mind when you're thinking about cloud security strategy and decision making. What's the positive. So what we expected is that, that, that these cloud security providers going to have key cast security teams.
And, and that's definitely the case. If you were following solar winds, you know, in their implant, there was a black list for Microsoft because they knew that if they, if they were working on, on Microsoft machines, then they have a great security team and, and likely they get caught. So no doubt that that part worked out as, as we expected, but I think there's, there's two other main things that are security gains from the cloud that are, are more often overlooked.
I think one of them is that it's much easier to add, add on security than, than it used to be in, in all the environments, because the, the, the infrastructure and, and the services that the providers built are more modular. It's also easier to adopt new technology because of the same reason.
And, and it seems like new, more recent technology seems to be more secure. So I think those are benefits that are not often talked about, that you should keep in mind when you're trying to gauge the, the risk and benefit of, of different clouds projects. You have.
I, I believe that's because security really only advanced when a big player cleaned up a solution and then pushed it on the whole of the industry. And, and it was so good that we never missed the old solutions that were unsafe. The flexibility that were reduced were not in places that we were really using. I'm a pen tester.
I, most of the time when I was doing pen testing back then, I, I used the parts of APIs that nobody else was using. It just, it was there, but actually it was never needed.
And, and also same thing. I think great security is not built by, by great security teams. It's built by great engineers. So the engineers at Google and AWS, they, they, they do great work at engineering. So most of the things that they built eventually are gonna be great. And that's, that's a little asterisk there eventually.
So it's, it's not great to jump on immediately on these solutions. My experience been in, in, in with even these big providers in the beginning, their solutions probably not gonna be super safe, but eventually they are going to, to build great things that happen to be secure. So I think the, the mantra and security these days is security as a business enabler. I kind of look at it the other way around in, in, in cloud.
I think business is a security enabler because a lot of these new technologies that we're pushing out like happen to be more secure, but it's also more like it's great for business and, and hence, it's more useful. So I think you, you cannot escape a bit of mindfulness, even in a security presentation. So I kind of turn into what's happening in your mind when you read the next article or talk to the salesmen and they, they are asking you, how do you secure your cloud native server, less Kuber these payloads on hybrid setups or whatever is the new fancy term.
So what's happening there is you think like, oh, we are still stuck with the old stuff. I know that's happening and it's not great. We haven't looked at it. And then the next step is in security. Unknown unknowns are bad. Next step. It's horrible. I have to do something about it. Let's buy a box. Okay.
No, it's 2021. So let's buy a SaaS solution or, or get, get to a many service provider. But that's, that's the usually usual thinking there. This is where I tell you being not afraid. So the based on what I just told you, I think the, the basic things that you can, you can keep in mind that most of the risks are gonna be more of the same. I'm not saying that it's a hundred percent true because things are, are, do move faster in the cloud.
There's going to be complications there, but in terms of what you can expect to happen in terms of attacks, I think it's, it's fair to say that most of the things that you should expect, if you don't know about the buzzword that the, the article is about, it's probably gonna be more of the same. The other thing that you can lean on is that you can expect that most of these cloud providers, if you're not using their cutting edge, newest solutions, they are going to build safe products.
So as you, as we talked about cloud storage, I think cloud storage 15 years ago, by default, it was, it was public. And that's what, that's how everybody made the mistake. It was not easy to make it private, cuz it was hard to access it. Then now you have to jump through E hoops to be able to make it totally public. And it's super easy to access it programmatically. So they are doing a good job to make it easy for you to do a good job.
The, the other big thing is if you didn't do a good job, the good thing is in cloud. It's easier to bolt security on. So you can more easily add some extra layers of security on because all that, that pain that you had before with migrations now that Google's playing and Amazon's paying and a lot of they have the scale to see what problems each of the clients have with different migrations and they have the engineering to make sure that you likely don't run into those problems. So I think that's, that's been what I wanted to rush through. And with that, I give you some time for questions.
