Some five years back, Don Anderson, CIO at the Federal Reserve Bank of Boston, sat down for the first time with the organization’s chief risk officer. As the IT head of one of the Fed’s 12 regional banks, he was there to provide input on risk, as part of an initiative to create an enterprise risk management framework.
When the CRO asked Anderson what he considered his top risks, he said, simply, “cybersecurity.” She laughed, explaining that it may be one of his problems, but it wasn’t an organizational risk. When they met the following year and he gave the same answer, she suggested he come up with a more creative response.
But nobody was laughing six weeks later, when someone breached defenses and made off with the entire HR database. “In that breach, the personal data — PII and account numbers — of 22,000 current and 60,000 retired employees was leaked,” said Anderson, during his presentation at the 2019 CyberCrime Symposium. The CRO admitted he’d been right, and said cybersecurity was now on the list of organizational risks, coming in at #10.
The next year, following another breach, it climbed to #7, and the year after, reached #3. “Now, two years later, cybersecurity’s the #1 risk across the entire Federal Reserve System,” Anderson said.
In fact, Fed Chair Jay Powell surprised observers when he admitted as much during a 2019 60 Minutes interview. “Of the risks we face, cyber-risk is certainly the largest,” Powell said. “It’s a relatively new kind of risk, and the defense playbook is being developed in real-time.”
If cyber is a top risk for the Fed, cyber-resilience is a top security objective. The organization allocates $2 billion annually to the IT function, and “we spend a ton of money on cybersecurity products” to harden defenses, said Anderson. In modern cyber-warfare, though, cybersecurity can’t go it alone. Enter risk-based resiliency, which prioritizes applications and systems so they’ll be properly protected.
As the nation’s central bank, the Fed must be able to rapidly recover following an attack, but provide the availability for business continuity. In his session, Anderson discussed ways organizations can make the cloud part of their resiliency strategies.
Confounded by Configuration
Today, cyber-risk “isn’t just about security and incidents — it's also about resiliency,” said Anderson. In fact, at the 2017 CyberCrime Symposium where he gave a presentation on digital disruption, he declared that “cyber-resilience is huge.” At that time, his team had already made significant progress in its resiliency efforts, having just completed a project that lets them run multiple hot sites simultaneously, and move critical applications and workloads around the country as needed.
Since then, the group has continued to improve its on-premise resiliency, as well as defining ways they can leverage the cloud to handle some of that load.
The Fed is already leveraging the cloud on a number of other fronts. They’re using SaaS for hundreds of non-critical applications, and are migrating to a cloud-based ERP platform, freeing themselves from 45 customized applications while enjoying the agility, analytics, and automation of the cloud.
But such advances weren’t conflict-free. When cloud adoption accelerated, big CSPs — AWS, Azure, Google — entered the market, kicking-off consolidation. As platforms and services matured, they suffered the usual growing pains. In this case, those included some high-profile outages.
“When outages occur, management inevitably points to them as proof that the cloud can’t be possibly be secure or resilient,” said Anderson. In most cases, though, these outages resulted from users making configuration errors.
To securely leverage its capabilities, organizations need people with the configuration skills to avoid such mistakes, as they’re as much of a threat to cybersecurity and resilience as cyber-attacks. They also need to recognize that the cloud, while offering resiliency options, can introduce new risks, said Anderson.
Roads to Resilience
For on-premise resiliency, the Fed security group had to consider three fully redundant data centers, spread across the country, multiple servers, and some 6,000 applications.
A couple of years ago, they identified their 50 most-critical applications, prioritized them, and assessed their vulnerability exposure. In deciding which apps would benefit from their real-time failover and data synchronization technologies, they quickly abandoned the idea of including the vast portfolio.
“It’s very expensive and difficult to manage, so only 10 or so applications have real-time failover,” said Anderson. These are the applications that process trillions of dollars in transactions every day. For less-critical applications, the fail-over time is typically a few seconds, according to Anderson.
On-premise resiliency typically covers:
- Multiple data centers
- Multiple servers/instances
- Real-time and standard site/server failover
- Real-time and standard server-to-server/site-to-site replication
Traditional real-time failover solutions have lots of capabilities, said Anderson, but “you end up spending a lot of money while only leveraging some of their functionality and features.”
Meanwhile, Anderson said, cloud providers offer them essentially the same real-time failover and replication capabilities, but generally at a lower cost. Further, AWS and Azure, for instance, offer distinct availability zones, so even if they’re in the same physical location, each has its own power, cooling, and connectivity, said Anderson.
Getting to Know You
But the cloud’s not without its own resiliency downsides. Many CSPs offer failover and replication, but they’re implemented for the specific customer and priced accordingly. Further, their availability services aren’t offered in all data center zones.
When developing a resiliency strategy, it’s critical that organizations considering cloud options understand who they’re working with, what they’re running, and who’s responsible for securing what.
Anderson cited an organization that moved their entire data center to an IaaS provider wholesale, without any strategy, much less planning. “They had taken their data center — their entire business operation — and moved it out to the cloud, not realizing that they still had to maintain licenses, patch servers and middleware, and monitor everything,” he said.
The message: Don’t be that company. In addition to practicing all the basic security controls they ignored, provide employees with security-awareness training, regularly test their cyber-savvy through phishing and other exercises, and reward them for good security hygiene.
It’s a slap in the face to IT veterans managing locked-down data centers, but they just can’t compete with CSPs on the security front. “Security in the cloud is a lot stronger than on-premise security,” said Anderson.
Further, AWS, Azure, and Google enjoy enormous economies of scale, which lowers the entry barriers for companies of any size. And if that’s not enough, their size translates to rapid innovation, services with cool functionality, and frequently updated feature sets.
This is the fourth in our series of posts presenting key takeaways from our 2019 CyberCrime Symposium, held Oct. 17-18. The program — Cloud Security — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, don’t miss upcoming installments.