Connect with us

Technology

How to address cybersecurity when migrating to the cloud

Published

on

Moxtra’s chief technology officer discusses cloud security and some of the main pitfalls that businesses should avoid.

Click here to view the full Cloud Week series.

Migrating to the cloud is far from a new concept. However, the last year has accelerated digital transformation across virtually every industry, dispersing much of the global workforce and decentralising much of the on-premise infrastructure we had been used to.

This has invigorated discussions around creating proper cloud strategies and solutions. However, it also comes at a time when cyberattacks are on the rise, taking advantage of the systems that were forced to go remote overnight, as well as much larger attacks. Most recently there was the major attacks on a major gas pipeline in the US and the massive cyberattack on Ireland’s Heath Service Executive (HSE).

With the adoption of cloud and the discussion of cybersecurity both reaching new levels, what do businesses need to think about in terms of protecting the information they move into the cloud?

“Businesses assume that every asset can be or should be protected against every possible threat. It is not realistic for businesses to cover every single asset with ultimate security,” said Stanley Huang, co-founder and CTO of cloud-based software company, Moxtra.

“The question that should be asked is ‘what do we want to protect?’ rather than ‘how can we protect everything?’ Companies need to prioritise their most essential assets and determine a strategy to protect them, by defining not only what needs protection, but also what level of protection each asset will need.”

‘You cannot just buy security from a vendor’
– STANLEY HUANG

Huang said when it comes to cloud security, there is often a disconnect between a business recognising security needs and receiving strategic, well-planned security coverage.

“This stems from the issue of many businesses only focusing on the technical aspects when implementing cloud security,” he said.

“For example, what kind of cloud computing service are we using, what is good about it, what is not good, what technology does it use, how well does it work for users? While this is all important to understand, these considerations should come after you determine how security fits into the bigger picture.”

He said that many businesses often bypass the step of scoping a security strategy before implementing cloud technology, but this step is vital when it comes to mitigating risk while migrating to the cloud.

Advice for ensuring good cloud security

Huang suggested that businesses identify or hire a security task force owner internally, who is responsible for defining the security strategy at the company level.

“This person must be a good organiser with a technical background but does not necessarily need to be a security expert. In addition, a third-party consulting service with security expertise can work with the internal organiser to define a specific security strategy for your business,” he said.

Support Silicon Republic

“You must be realistic about whether the execution is doable and cost-efficient. Going through this in the early stage and then defining the scope is best for small businesses, as they do not have expertise to do everything. As a business owner, you must understand how your business operates, and then collaborate with the help of other parties to discuss what asset and how secure it is to create an overall map about how your business should use the cloud service.”

A man with glasses wearing a light blue shirt smiles at the camera.

Stanley Huang. Image: Moxtra

Aside from thinking they can protect everything to the highest possible level, Huang said another common mistake companies make is thinking that they can buy company-level cloud computing security from each of their cloud service vendors.

“You cannot just buy security from a vendor. While the vendor can provide the security solution, as a business owner, you need to think differently about how to leverage that solution and make the best decision for your business.”

In practice, this means a cloud vendor can provide a certain security solution such as multifactor authentication, ensuring that the people who are logging in are who they claim to be through various verification methods.

However, it is up to the company itself to ensure that employees who leave no longer have access to these data repositories.

“The vendor has done its job by making sure the employee’s email and password matches and requiring sign-on, but the business owner needs to ensure that employees verify employment status through a centralised system, and that only current employees have access to company data,” he said.

Another misconception Huang warned against is the idea that a businesses can simply leverage a third-party security consultant company to provide them with a secure cloud computing environment.

“As I discussed earlier, a business cannot just purchase a technical solution and expect it to protect its data. Businesses need to define the scope of their security plan and prioritise levels of security. Only after this is done should businesses be investing in third-party consulting and purchasing security solutions.”

Education is key

When it comes to cybersecurity, cloud-based or otherwise, CIOs and CTOs alike cite education of staff as a key component of protecting data.

Time and time again, infosec experts and IT surveys have highlighted human error as a major risk when it comes to cyberattacks. But it’s one thing to simply say workers need to be better educated about cybersecurity and another to suggest how to go about it.

“I believe that collaborating with experts is the most effective way to advance the education of your staff. By splitting up responsibilities and educating people with a different focus based on their role, employees are able to build a whole vision of a security map when they collaborate,” said Huang.

“I believe the most critical part of education is working in collaboration with other parties to determine the target of the desired cloud computing security, and then defining the strategy and executing it properly. This is more of a high-level sort of education, but without this, not much else matters.”

Source link

Technology

Privacy proves elusive in Google’s Privacy Sandbox • The Register

Published

on

Google’s effort to build a “Privacy Sandbox” – a set of technologies for delivering personalized ads online without the tracking problems presented by cookie-based advertising – continues to struggle with its promise of privacy.

The Privacy Sandbox consists of a set of web technology proposals with bird-themed names intended to aim interest-based ads at groups rather than individuals.

Much of this ad-related data processing is intended to occur within the browsers of internet users, to keep personal information from being spirited away to remote servers where it might be misused.

So, simply put, the aim is to ensure decisions made on which ads you’ll see, based on your interests, take place in your browser rather than in some backend systems processing your data.

Google launched the initiative in 2019 after competing browser makers began blocking third-party cookies – the traditional way to deliver targeted ads and track internet users – and government regulators around the globe began tightening privacy rules.

The ad biz initially hoped that it would be able to develop a replacement for cookie-based ad targeting by the end of 2021.

But after last month concluding the trial of its flawed FLoC – Federated Learning of Cohorts – to send the spec back for further refinement and pushing back its timeline for replacing third-party cookies with Privacy Sandbox specs, Google now acknowledges that its purportedly privacy-protective remarketing proposal FLEDGE – First Locally-Executed Decision over Groups Experiment – also needs a tweak to prevent the technology from being used to track people online.

On Wednesday, John Mooring, senior software engineer at Microsoft, opened an issue in the GitHub repository for Turtledove (now known as FLEDGE) to describe a conceptual attack that would allow someone to craft code on webpages to use FLEDGE to track people across different websites.

That runs contrary to its very purpose. FLEDGE is supposed to enable remarketing – for example, a web store using a visitor’s interest in a book to present an ad for that book on a third-party website – without tracking the visitor through a personal identifier.

Michael Kleber, the Google mathematician overseeing the construction of Privacy Sandbox specs, acknowledged that the sample code could be abused to create an identifier in situations where there’s no ad competition.

“This is indeed the natural fingerprinting concern associated with the one-bit leak, which FLEDGE will need to protect against in some way,” he said, suggesting technical interventions and abuse detection as possible paths to resolve the privacy leak. “We certainly need some approach to this problem before the removal of third-party cookies in Chrome.”

In an email to The Register, Dr Lukasz Olejnik, independent privacy researcher and consultant, emphasized the need to ensure that the Privacy Sandbox does not leak from the outset.

It will all be futile if the candidates for replacements are not having an adequate privacy level on their own

“Among the goals of Privacy Sandbox is to make advertising more civilized, specifically privacy-proofed,” said Olejnik. “To achieve this overarching goal, plenty of changes must be introduced. But it will all be futile if the candidates for replacements are not having an adequate privacy level on their own. This is why the APIs would need to be really well designed, and specifications crystal-clear, considering broad privacy threat models.”

The problem as Olejnik sees it is that the privacy characteristics of the technology being proposed are not yet well understood. And given the timeline for this technology and revenue that depends on it – the global digital ad spend this year is expected to reach $455bn – he argues data privacy leaks need to be identified in advance so they can be adequately dealt with.

“This particular risk – the so-called one-bit leak issue – has been known since 2020,” Olejnik said. “I expect that a solution to this problem will be found in the fusion of API design (i.e. Turtledove and Fenced Frames), implementation level, and the auditing manner – active search for potential misuses.

“But this particular issue indeed looks serious – a new and claimed privacy-friendly solution should not be introduced while being aware of such a design issue. In this sense, it’s a show-stopper, but one that is hopefully possible to duly address in time.” ®

Source link

Continue Reading

Technology

Government plans €10m in funding for green and digital business projects

Published

on

The Government and Enterprise Ireland are providing two funds to regional Irish businesses in a bid to help them transition to a greener, digital economy.

The Government has today (29 July ) announced it will provide €10m in funding through Enterprise Ireland to projects supporting digitalisation and the transition to a green economy.

The Regional Enterprise Transition Scheme, worth €9.5m, will provide grant funding to regional and community-based projects focused on helping enterprises to adapt to the changing economic landscape due to Covid-19 and Brexit.

Leo Clancy, CEO, Enterprise Ireland said: “The Regional Enterprise Transition Scheme is aimed at supporting regional development and the regional business eco-system, helping to create and sustain jobs in the regions impacted by Covid-19.”

Grants of up to €1.8m or 80pc of project cost are available to businesses. The projects should aim to address the impact of Covid-19 and improve the capability and competitiveness of regional enterprises.

The call for the Regional Enterprise Transition Scheme will close on 8 September 2021. The successful projects will be announced in October and all funding will be provided to the successful applicants before the end of the year.

Support Silicon Republic

A separate funding scheme, the €500,000 Feasibility Study fund, will provide financial support to early-stage regional enterprise development projects.

Launching the funding schemes, Minister of State for Trade Promotion, Digital and Company Regulation, Robert Troy TD said the funds would “help stimulate transformational regional projects to support enterprises embrace the opportunities of digitalisation, the green economy as well as navigate the changed landscape arising from Covid-19.”

Minister of State for Business, Employment and Retail, Damien English TD commented at the launch that the funds would help “build Covid-19 and Brexit resilience and enable applicants to support enterprises and SMEs to respond to recent economic and market challenges which also includes the transition to a low carbon economy, digital transformation and smart specialisation.”

The Feasibility Fund is open to new projects, with grants available of up to €50,000 or 50pc of project cost and will allow promoters to test their project concept and deliver virtual or site-based solutions to their target audience.

Applications for the Feasibility Fund close on 1st October 2021.

For more information and details on how to apply for the funds, see here and here.

Source link

Continue Reading

Technology

CEOs told to ‘think before they tweet’ after Just Eat spat with Uber | Twitter

Published

on

Chief executives are being warned to “think twice before they tweet” after the boss of takeaway company Just Eat Takeaway was told his Twitter spat with Uber threatened to undermine the firm’s reputation.

Jitse Groen this week became the latest in a growing list of chief executives to be rebuked by customers, investors and even regulators over ill-judged tweets.

Cat Rock Capital Management, an activist investor which has a 4.7% stake in Just Eat, highlighted Groen’s Twitter battle with Uber boss Dara Khosrowshahi as an example of outbursts that damaged the brand. The investor said Groen’s tweets had partly led to the firm being “deeply undervalued and vulnerable to takeover bids at far below its intrinsic value”.

Earlier this year Groen had a rant at financial analysts on Twitter, claiming that “some can’t even do basic maths”. He tweeted that he was “amazed how bad these analysts have become … All of them mix up definitions. It’s unbelievable.”

Brand and marketing expert Mark Borkowski said Groen’s case highlighted the difficulty executives face when trying to engage with customers on the platform.

“Everyone sees Twitter as a huge marketing opportunity that can drive a business forward, and it really can,” Borkowski said. “But these bosses must stop and think twice before they tweet, as just one misjudged tweet can send their share price plunging.”

Possibly the most expensive tweets ever sent were posted by Elon Musk, the maverick boss of electric car company Tesla, in 2018. The US Securities and Exchange Commission fined Musk and Tesla $20m each after he tweeted that he had “funding secured” to take the company private at $420 a share. The regulator said the tweet, which sent Tesla’s share price up by as much as 13%, violated securities law. As part of the settlement, Musk was ordered to step down as Tesla’s chairman.

Musk’s tweets continued to anger some investors. Pirc, an influential adviser to shareholders including the UK’s local authority pension funds, last year recommended that investors voted against Musk’s re-election to the Tesla board because his tweets posed “a serious risk of reputational harm to the company and its shareholders”.

Pirc said his controversial outbursts on Twitter had cost Tesla millions of dollars in settlements, but Musk easily won the vote, and has continued to tweet several times a day to his 59 million followers.

“Twitter is all about personality,” Borkowski said. “While Musk’s tweets can be very controversial, they fit with his brand. Twitter is perfect for renegades, mavericks and disruptor brands. It’s much harder for well-established brands with solid reputations, if something goes wrong for them they risk damage to their hard-earned brand.

“People now think that to run a successful business, you have to be on social media and every brand has to have a Twitter account,” he said. “The chief executives see that the bosses of their rivals have a Twitter profile, and they feel they have to have one too.”

Borkowski said some bosses have been very successful at building a presence and personality on Twitter, and using their platforms to promote social issues such as LGBTQ+ rights and the Black Lives Matter movement (as well as promote their brand and products).

James Timpson, the chief executive of cobbler Timpson, this week celebrated passing 100,000 followers on his account on which he weaves photos of his colleagues working in shops with posts tackling tax avoidance and prisoner reform.

This week, he responded to Boris Johnson’s proposal to create “fluorescent-jacketed chain gangs” of people found guilty of antisocial behaviour with a tweet suggesting offenders should be helped into work instead.

Tim Cook, the chief executive of Apple, has won praise for using Twitter to successfully pressure the governor of Indiana into revising proposed legislation that had threatened to allow discrimination against gay people on religious grounds.

Researchers at Harvard Business School and Duke University said Cook “effectively framed the debate using social media at a time when opinions were being formed and the impact went beyond the political”.

Borkowski suggested that before chief executives tweet they should “consider whether they have the personality and temperament to get the tone right each time”.

“There is nothing more inelegant than a chief executive going after rivals publicly on Twitter,” he said.

Sign up to the daily Business Today email

It was exactly that sort of behaviour that Cat Rock had accused Groen of undertaking. When Uber Eats announced earlier this year that it would take on Just Eat in Germany, Groen lashed out in a tweet directed at Khosrowshahi, accusing him of “trying to depress our share price”.

Khosrowshahi replied that perhaps Groen should “pay a little less attention to your short term stock price and more attention to your Tech and Ops”. That sparked Groen to reply “thank you for the advice, and then if I may .. Start paying taxes, minimum wage and social security premiums before giving a founder advice on how he should run his business”.

Alex Captain, Cat Rock’s founder, said: “The response should not happen on Twitter. It should happen on a credible forum with the facts, data, and analysis that the company has at its disposal.”

A Just Eat spokesperson said: “Just Eat Takeaway.com has a regular dialogue with all its shareholders and we take all their views very seriously.”



Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!