Cloud Security is like Healthcare - An ounce of prevention is worth a pound of cure.

Last week, I happened to sit on a panel discussion about Cloud Governance in Healthcare – and one of the raging questions that took most of the Q & A time was …

In the IT world, Where are you currently spending your budget and team effort? Remediating an issue in production or in preventing it?
Remediate in production (Cure) 90%
Roll out fix all the way from development environment to production (Prevention) 10%

But when I asked a slightly different question to the audience (most worked in Healthcare IT)

What would you rather do? Take a disciplined approach to preserve your health (Prevention) OR Be carefree every day and spend only when you become sick (Cure)?
Prevention 90%
Cure (might even be too late) 20%

Such is the dichotomy of real-world health and Information technology.

Setting Context

Traditional IT Security practices have been marred with procedures that seem to make agile DevOps teams cringe. Production remediation for workload configuration is just one of them. In this post, we will take a moment to list out possible scenarios for Prevention vs Remediations.

Prevention: Before you begin a project, make a change, write a new script, build a new data center, do you engage your mind and consider ‘What could go wrong?’ It is essential to understand the threats and determine what controls should be put in place to prevent loss as a result of those threats.  Prevention controls include items such as fault tolerant designs and equipment selection, site location, access controls,  training, automation,  script design, call flow design,  secure coding practices, quality assurance testing and change control.

Detection: Murphy’s Law– if anything can go wrong, it will.  I have seen great plans go up in smoke and huge problems result from the smallest of omissions and mistakes.  One of the key elements to preventing something bad becoming something worse is early and accurate detection.  In a network or host based environment, there are many tools that can provide an essential monitoring of network devices and services.  Routines, processes, and checklists can also be effective detect methods.  In a physical environment, sensors and cameras are important and in scripts and programs, logic can be built that validates proper behavior and can then send alerts when deviations are found.  One key element of detection is that there needs to be someone available to respond.  Just saying that you are going to be 7/24 does not make it happen.  It takes a concerted effort, planning and an attitude of ‘being available all the time’.

Remediation:  Despite your efforts to prevent and detect, things will happen, and now you have to get things back to normal.  Typically in a High Availability environment, you have at least two of everything and the systems are designed to fail from a primary to a secondary system or they are shared and one system simply begins doing all the work instead of a portion.   So you did not go down, but you are not Remediated!  You still need to replace that failed device, and do so without loss of services.   Preparation is key.  Do you have to parts on hand?  Do you have a maintenance agreement?  Is your staff trained?  What is the proper window to perform the needed work?   If services were lost, do you have a communications plan?  What were the financial and regulatory impacts?  If you only just begin to determine how to put things back together AFTER a problem, you are too late!

Recommendations

If a cyber attack were to hit an unprepared business, it can be a devastating event, causing a loss in productivity, loss of revenue, and even cause damage to the company’s reputation. For malware attacks other than ransomware, remediation tools are useful to run a full scan cleaning damage after the infection. But the truth is this:

“The remediation-only approach will simply not protect against a major ransomware attack. Spending 80% of the efforts in prevention + detection has a better yield than 80% in Remediations

How businesses benefit from proactive prevention

Threats are continuing to evolve and traditional security solutions are almost rendered obsolete. In order to effectively block these threats, security has to evolve as well. Here’s how the proactive approach benefits businesses:

1. It avoids risk and damage to endpoints.

With a proactive prevention tool, businesses see the value from the reduction in threat exposure. The less threat exposure, the less risk to the business.

2. It reduces/eliminates manual threat removal.

Forty-five percent of SANS survey respondents say that their prevention, detection, response and remediation processes are still mostly or completely manual. With a proactive prevention security tool, businesses eliminate the need for any manual threat removal because threats are caught earlier on and there are not as many remediation demands.

3. It reduces downtime.

It was discovered in the Osterman report that more than 60 percent of attacks take organizations more than nine hours to remediate. This is because of the need to manually remove threats as well as re-image machines where necessary. Without the manual process, time to remediate, or downtime, is significantly reduced.

4. It enables expert staff to focus on critical issues.

Remediation or reactive methods often require valuable resources and create a crisis due to the complexity of each threat. The administrator who removes the threats needs to have a certain level of expertise—often requiring skills that only a few have. In Frost & Sullivan’s 2015 Global Information Workforce Study, researchers predict that there will be a shortage of 1.5 million information security experts by 2020, so the pool of talent is only getting smaller.

The shortage of capable admins causes additional issues to threat removal because it isn’t always as easy as clicking one button to disinfection the entire network; it can take hours to days away from productivity. Time can be spent on more valuable projects when admins are given the ability to run periodic scans to proactively check for anomalies.

Tying this back to Cloudneeti

Cloudneeti is an assurance product intended to provide visibility and enforcement of cloud security, compliance, and privacy best practices.

Researchers and Industry Analysts agree that preventing misconfigurations (80% threats prevented), and applying wholistic best-practices improves your risk profile significantly.