Manufacturing and The Cloud – Navigating the Evolving Security Landscape
The cloud, or Software-as-a-Service (SaaS), model is now nearly two decades old. At first, manufacturers were scared to move their mission-critical data off-premise, but cloud companies adapted and instituted security measures to allay their fears. Despite the ever-evolving sophistication of hackers, security-conscious cloud providers now offer a far safer environment at a lower cost than most individual companies can provide for themselves.
With these assurances and benefits, more and more manufacturers are looking to move their critical business processes to the cloud. Here are the top security concerns they must consider and some suggestions on how cloud companies can address them.
Lack of Patching
Unpatched vulnerabilities on systems are the opening malicious hackers use to carry out the vast majority of hacks. Most exploits in today’s world involve vulnerabilities that were patched more than a year ago. It is challenging when you consider evolving technology – and the need for tools and the resources to use them – for manufacturers to keep a system patched.
Cloud providers should apply patches on a timely basis to reduce the likelihood of a breach. Many breaches take place simply because software providers do not apply patches on a timely basis. Responsible patching based on a mature vulnerability management protocol is critical to maintaining a safe environment.
Lack of Testing and Scanning
Manufacturers often do not have the expertise, time, tools or automated ways to conduct ongoing testing and scanning of systems. It does not make sense to wait until an attack happens to find out if defenses are strong enough.Cloud providers should operate a program to test defenses on a regular basis. Regular penetration and intrusion testing conducted by qualified/certified resources is important. Establishing a Vulnerability Management program is also a key to success. It is essential to not only test for vulnerabilities, but also to assess whether vulnerabilities are actually exploitable and what risks they represent (conduct ongoing risk assessment and analysis). Cloud providers should use vulnerability assessment tools and best practices that accommodate virtualization technologies, which are fundamental technologies for clouds. Such tools are capable of scanning physical and virtual environments. Furthermore, policies and procedures should be established regarding vulnerability testing, along with supporting processes and technical measures.
Immature Incident Security Response
Manufacturers are rightfully concerned that moving their data out of their physical premises and into the cloud makes that data vulnerable to a security breach. It's hard for them to trust someone outside the organization to prevent breaches and, just as importantly, to mitigate the damage if one occurs. The effects of a data breach can be catastrophic to businesses of all sizes, not to mention the public relations nightmare and subsequent liability that can ensue when an organization drops the ball in the wake of a cyberattack.
Cloud companies should have a dedicated team with tested best practice processes (like NIST guidelines) and clear communication protocols to the incident response plan to detect breaches, and react quickly to initiate remediation in order to lower costs and impact. The incident security process must be linked to related processes for customer communication that tie into backup, recovery and disaster recovery processes. Continuity of systems must be guaranteed within a certain time so as to limit the impact on the user.
Knowledge of and Familiarity with Application ERP
Manufacturers have deep knowledge of ERP-related applications. Now with the ever-evolving complexity and demands around system security and changes in laws and regulations, the investment needed for cloud environment security and infrastructure management is a very costly combination.
A cloud security and management team deeply familiar with the applications a manufacturer uses often provides superior security than, for example, a managed service provider without the application familiarity. Cloud providers that understand the interdependencies between infrastructures, platform, app and configurations settings from a security and management perspective usually do a better job. Sharing the cost of hiring or outsourcing security experts and the related expertise can give cloud companies economies of scale.
Weak Access Controls
Access control gives a user who has a valid identity, and who has authorized rights and/or privileges, the ability to access and perform functions using information systems, applications, programs or files. The challenge today is that there are so many devices, computers, data sources and applications; it is difficult to develop a comprehensive approach to access control. The threat of unauthorized user accesses is a major risk to the availability, stability and quality (infrastructure and data) of the cloud system.
Users should only have access to the network and network services that they have been specifically authorized to use, based on least privileged principles. Access should be controlled by secure login procedures and restricted in accordance with developed, review and continuously improved access control policies, processes and implemented tools (like Privileged Access Management). Adopting regular user access reviews of move/add changes will control the access over time.
Lack of Confidence Due to New General Data Protection Regulations:
Lately governments and regions have instituted a variety of regulations that impose conditions on the safeguard and use of data. More recently, with the introduction of the EU General Data Protection Regulation (GDPR) regulation in combination with penalties for organizations who fail to sufficiently protect it. Any global organization will need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions as well as reputational damage and loss of customers due to privacy breaches.
Global manufacturers that operate in many countries and serve customers located in many countries need to stay abreast of individual country and regional regulations and gather regulatory intelligence. Data protection measures, like the new GDPR regulation which went into effect May 25, 2018, are becoming more important. Cloud providers will need to build a robust Information Security Management System (ISMS) based on security best practices (NIST) within the organization that meets internationally recognized data security standards like ISO 27001, CSA STAR certifications and SSAE18 SOC reports. This will help satisfy many data protection needs. Any cloud company that can share the applicable certifications and reports will underscore its ongoing commitment to ongoing security and compliance.