Independentie
Wednesday, 31 August 2022 | 14.2°C Dublin
Menu Sections
Menu Sections
Premium subscribers enjoy unlimited access to all articles. But there’s more: discover your full benefits now.
Close
'Literally every month, we send you a bill. If we do a bad job supporting you, you will not keep using our services,' says Mark Ryland of Amazon Web Services
/
Adrian Weckler Twitter Email
August 25 2022 02:30 AM
Are people confident enough yet to move their company’s IT security to the cloud?
What are the cardinal errors we’re making in leaving the door open to ransomware? And what other security lessons should companies, in particular, be heeding as they move more of their daily work activities online?
Mark Ryland is director in the Office of the Chief Information Security Officer at Amazon Web Services, the world’s biggest cloud and hosting provider.
The Irish Independent caught up with him to ask about a number of security issues.
Adrian Weckler [AW]: When I talk to large and small companies in Ireland, some are still unsure about the fundamental notion of putting more of their organisation’s security online. Are they right?
Mark Ryland [MR]: There are certainly still some legacy technologies with definite security benefits. On the other hand, it’s getting harder with some processes to do it all on premises, too.
You get security controls around networking and other stuff that are not easy to set up on premises. I would also say that for cloud native systems, whether you’re starting with it or modernising to it, you would be less likely to see traditional security technologies.
You’re not going to be worried about endpoint security and so forth, configuration management becomes the key security control. So there’s been a lot of movement on this, I think.
More and more, there’s now a sense of this [cloud] being the modern, secure thing to do with less of a question mark around it.
Tech’s stars and turkeys rounded up and served to you every Friday by Ireland’s No. 1 technology writer.
This field is required
AW: What are the other trends you’re seeing?
MR: People often want to talk about exciting, emerging threat landscapes.
But how about we start with security basics? How are they doing there? Like patching? How are they doing with training people not to click on phishing links? Generally, people don’t do a great job with the basic stuff.
Even something like ransomware, which is a huge topic, is literally just a new monetisation strategy for a set of flaws that tended to exist for a long time.
AW: We’re now years into ransomware being a major painpoint for a lot of companies. Is it disheartening that so many large organisations still appear to be vulnerable to it? And what should they really be doing differently?
MR: It’s almost always unpatched systems. Cloud can help a lot, even through some of the simplest features.
We have a service which can back up everything, all the database services. A year or so ago, we added a policy feature where no data can be deleted for 90 days.
No user, not even the most powerful administrator in your entire company, can delete the data while it’s in this policy.
That’s a pretty safe place to be when it comes to compromised credentials, which is a classic attack vector [in ransomware].
If someone gets in and gains administrative access and wants to start doing things, they can’t. It’s a really powerful, simple tool.
But again, ransomware is not a new security risk per se, even if there may be some new tools associated with encryption.
Ultimately it really asks the question: did you ever actually have a good strategy for dealing with data loss and data protection? So ransomware has been a wake-up call.
AW: Stripe’s Collison brothers regularly argue that the world is only single percentage points into an e-commerce transition. Is that a relevant argument for cloud security?
MR: This is still at a relatively early phase of transformation.
That transformation is good for the industry.
It’s a fundamental realignment of customer interests and vendor interests, from what you had in the old [tech] world.
As a vendor, I may be very well intentioned, but what I was actually motivated to do was to sell you as much hardware as I can and to sell you the biggest software enterprise agreement, whether or not you ever install and use that software.
I may tell you that I’m giving you a big discount.
But if you never installed it, the discount didn’t actually work.
Yet it was irresistible for vendors to do this.
A salesperson might get a Ferrari after a big deal closed. That was just the way the world worked and no-one thought it was evil.
But cloud doesn’t work that way.
Literally every month, we send you a bill. If we do a bad job supporting you, you will not keep using our services. If we do a great job. You’ll use more.
I think that in some ways, this is the most revolutionary thing about cloud technology.
Premium
Premium
Independentie
A Mediahuis Website © Independent.ie