Cloud security without a great team is nothing

* By Lauro de Lauro

It has been almost fifteen years since the first public cloud was launched and, to this day, many companies that consume the services of storage providers are not clear that the security of the platform is one of the responsibilities shared between the Cloud Provider and the customer. One of the main gains with this model is to reduce the customer's operational costs as the Cloud Provider operates, manages and controls the components of the physical network, infrastructure and the virtualization layer and the physical security of the installations.

Thus, the customer assumes management and responsibility for the operating system, such as updates and security patches for other application software associated with the environment and for the firewall configuration of the security group provided. But, for security experts, it is very clear that tools and protection systems do not do the job alone, requiring a great team. The lack of it leaves companies with huge defense flaws that can be exploited by hackers and greatly impact application uptime and business agility.

Analyzing the main causes that generate losses to companies, we see that they are concentrated on two structural pillars in security: application of best practices and periodic vulnerability assessments. Both pillars are linked to playbooks (processes) - which guarantee the validation of conducts -, compliance procedures and audit checks.

And, every day, new security and vulnerability validation tools are created, many of them using artificial intelligence, but they still do not dispense with a great team that knows how to evaluate if the best practices are being applied, if all the information is being collected and transformed specific knowledge for each company environment. The associated playbooks and these powerful tools can mitigate from simple situations of errors in the configuration of security controls in the cloud, which are still the main cause of risk and breach, to continuous validations of compliance and policy control.

What we still experience today in Brazil is a great ignorance of IT teams in relation to the adoption of basic security policies. We know of the damage caused by ransomware, a very common threat and widely used by hackers and that there is protection. Why do companies still suffer from this threat? It is not a technological problem, but the lack of following a basic playbook for checking the vulnerabilities of the environment and the adoption of antiransomware.

With the adoption of security policies, several cases of data leak incidents could be avoided. Basic principles can guarantee an excellent level of data protection. In addition, it is important to make clear the intrinsic relationship of cyber security and regulations such as the General Data Protection Law, the LGPD. Articles 8 and 46 and paragraph 1 of article 52 of Law 13709/18 make it clear that companies need to adopt technical and administrative security measures to protect personal data from possible security incidents, and also provide for the mitigation of administrative sanctions against those companies. that demonstrate to adopt internal mechanisms and procedures capable of minimizing eventual damage caused by information security incidents. Thus, the importance of the security process to mitigate and protect data is a legal requirement as of the implementation of the LGPD.

I conclude here with a question that must be frequently answered: is security only for companies that have a large IT budget? Absolutely not! Today, with cloud security services and the various companies specializing in protection, costs are a fraction of what we had a few years ago. There is no point in risking running out.

* Lauro de Lauro is an entrepreneur and passionate about technology. As an investor, consultant and director of companies for over 35 years, he combines technological knowledge with commercial and marketing experience to innovate and add value. He has on his resume acting as COO (Chief Operating Officer) at Sky.One, Marketing Director at ABES - Brazilian Association of the Software Industry, Director of Product Marketing, at UOL DIVEO, founder of Dualtec Informática SA and Chief Technology Officer ( CTO) of Agência Estado (SA O Estado de S. Paulo). Lecturer and debater on digital transformation, cloud computing and SaaS, he is an enthusiast of agile methodologies and has written several white papers. Lauro studied physics at the Pontifical Catholic University of São Paulo (PUC-SP).