Guest Commentary: Cloud computing tackles emerging cyber threats

OTTAWA—Cyber threats and ransomware attacks are no match for cloud computing design-built from the ground up for information technology security.

In physical security, particularly access control, the history of hacking formerly focused solely on stopping unauthorized users from duplicating or cloning information housed on cards and other devices. Now, it's all about stopping criminals from gaining access to or attacking a customer's network and its data through vulnerabilities in their physical security systems.

The mounting case for cybersecurity is real and escalating. Cyber threats and ransomware present a formidable threat across all businesses and vertical markets. In the example of ransomware an attacker manages to successfully place malware on the network with the intent of encrypting critical data or entirely locking systems—to hold the business ransom for payments, with the promise of releasing the information or unlocking the system. Much of the ransomware is coming from out-of-country hackers who are quite sophisticated in their attacks, often demanding bit coin as payment.

Online extortion had a banner year in 2016, according to Trend Micro's annual security assessment report: “2016 Security Roundup: A Record Year for Enterprise Threats.” In 2016 there was a 752 percent increase in new ransomware families, with $1 billion losses to enterprises worldwide.

Ransomware attacks are growing in frequency, causing devastating consequences to enterprises and organizations across the globe. Numerous, widespread breaches around the world occurred prior to and through Mother's Day weekend 2017 as the WannaCry ransomware spread. Britain's National Health Service was hit by the cyber-attack and the same perpetrator froze computers at Russia's Interior Ministry while further affecting tens of thousands of computers elsewhere.

Across Asia, several universities and organizations reportedly fell prey, including Renault, the European automaker. The attacks spread swiftly to more than 74 countries, with Russia worst hit and included Ukraine, India, Taiwan, Latin America and Africa.

The fact of the matter is that anything riding on the network is at risk. Physical security systems are vitally important to daily operations of every organization today. At many facilities any downtime of these systems may significantly affect the safety of people, property and assets.

Tackling data security risks

Cloud computing creates a solid path for customers to lower their total cost of ownership (TCO) with open architecture and other installation efficiencies that provide ready scalability. But it also provides healthy TCO in providing inherent safeguards that protect data regularly and automatically.

Cloud computing Access Control as a Service (ACaaS) Security Management Systems (SMS) offers respite to the practice of housing access control systems on premises, with inherently higher security. Many of the cloud-based solutions today redundantly store system data and video automatically or on schedule. In addition, most cloud providers are held to an extremely high level of cybersecurity with various levels of encryption and automatic disaster recovery. Acceptance of cloud solutions by organizations is at an all-time high and manufacturers are releasing cloud solutions for numerous technologies.  Integrators need to take advantage of the opportunity to offer cloud solutions to customers for enhanced security and reliable network authentication.

What end users and security integrators are beginning to understand is that the cloud is much safer than a non-hosted environment. In the example of ACaaS SMS, there are multiple layers of safeguards and security in the technology available as opposed to on-premise software-based platforms using local servers. Cloud-hosted security management systems are purpose-built and designed with software security as a leading backbone. Hosted systems can follow what Microsoft refers to as SD3+C: Secure by Design, Secure by Default and Secure in Deployment in Communications.

Two-Factor Authentication and Password Policies

For those who have had their Facebook account hacked, the reality of the insecurity of passwords hits home. Secure cloud-hosted systems don't use default user names and passwords. Each hosted system is issued a unique password, providing the first step to an ultra-secure solution. In addition, the ability to create password policies for users that can be set for low, medium and high adds another layer of protection. Lastly, two-factor authentication, which is being used much more frequently with consumers, can be attached to the log-in credentials of any user.

With two-factor authentication, user accounts are linked with a second source of verification, such as a code generated for further authentication. Users must provide this code when entering their user name and password, while a potential hacker would need three things in order to access the system: user name, password and access to open the device which generates the two-factor authentication code. Two-factor authentication at the login for cloud-hosted access control reduces the risks of weak passwords while also simplifying password policy management for the IT staff.

Standards-based TLS 1.2 encryption

In addition to the SD3+C design concept, encryption further protects the transmission of data between the client and the cloud-based server using Secure Sockets Layer (SSL), a standards-based security technology for establishing an encrypted link between a server and a client. The SSL Transport Layer Security (TLS) 1.2 encryption secures the data connection to connected field hardware as opposed to using easily hacked Open SSL protocols. Further, TLS 1.2 encryption allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. Cloud computing takes this a step further: manufacturers auto-negotiate the TLS encryption with the access control controller boards as they initiate contact with the server.

Once logged in, SSL certifications further safeguard the communications between applications while TLS certificates protect the communications between field devices and the ACaaS SMS platform. Proactive and consistent vulnerability scanning also provides additional protection against emerging threats.

IP Client, versus IP Server, are also characteristic of cloud-computing which greatly reduces risk from outside threats. IP Client uses outbound ports at the user's site instead of inbound ports, circumventing the possibility of security breaches and data compromise. With IP Client, IT staff does not have to open inbound network ports or set up port forwarding, keeping the network secure and lowering management workload on manual configurations and set up.

Advanced security safeguards

All software manufacturers have Quality Assurance (QA) departments inspecting their own software for bugs and issues. However, what are the risks if QA misses a critical issue with the code? Third party vulnerability assessments are not only becoming prevalent in the cloud-based solutions market, but expected by savvy end users who want support documentation to assure that the manufacturer has taken additional steps to further minimize risks. Veracode is one of those that provides these services in cloud-hosted ACaaS and tests for key application security risks to enterprise solutions. Software providers of all sizes use the VerAfied™ security rating to demonstrate their software has undergone stringent independent testing and certification against the latest industry standards.

Gartner predicts worldwide public cloud services to grow 18 percent in 2017 to $246 billion, up from $209 billion in 2016. ACaaS that's built for and hosted by the cloud provides the industry's most robust solutions for secure, connected environments in security and the emerging internet of Things. A major factor to consider for cloud-computing SMS today is the level of security a manufacturer provides for their application. The most robust solution should incorporate multiple layers of data and privacy protection to safeguard client information while delivering the highest end-to-end security, from system login to trusted field devices.

Paul DiPeso is executive vice president of Feenics, a company that specializes in cloud-based access control solutions including its Access Control as a Service (ACaaS) platform built specifically for and hosted in the public cloud.