So, let’s say your organisation, enjoying the benefits of cloud services, has been accredited with Cyber Essentials plus (CES+). Well done, this is an important step.
“Splendid”, you say, “now we’ve got internet damp proofing for…what…10 years?”
Not quite, the re-inspection will be a year later; in between time you’ll be abiding by a set of security guidelines and controls in place merely to ensure protection against “Internet based threat actors with low levels of technical capability” (from CES framework doc). In other words CES+ asses whether someone else somewhere on the internet can use “widely available capabilities” to “achieve a compromise” of your IT infrastructure at that. “Crumbs”, you say “that’s not much, I wouldn’t want to do business with a company who didn’t pass this rudimentary test of cyber hygiene.” Quite so, and well put. No wonder the UK government is making it mandatory for some of it suppliers as of 1st October.
For Cloud Security what’s needed is something more than relying on the up-to-dateness of the Cloud Service Providers’ patching, and the elementary protection of CES+. Enter: Cloud Protective Monitoring. We’ve written an article here detailing what it is and what it looks like. It details what’s different about Cloud Protective Monitoring as compared with traditional, internal protective monitoring you may do on your existing kit, why relying on Cloud Service providers’ own monitoring is woefully inadequate, and why the Cloud model greatly widens your are of concern with each connected device.
Outsourcing your Cloud Protective Monitoring requirement to a company such as e2e-assure can be an inexpensive alternative to hiring expensive cloud-aware security analysts, not to mention that it fits in nicely with the “as a Service” costing model :)