Chapter 1
Understanding Cloud Computing and the Current Threat Landscape
IN THIS CHAPTER
Understanding cloud computing and its value in the current threat landscape
Getting to know the cloud deployment and service models
Determining the right Office 365 plan for your organization
The way we work today is vastly different from the way we worked in the past. Gone are the days when we worked from 9 a.m. to 5 p.m. in one location using one desktop computer and software that didn't connect to the Internet. Today we get our work done using a desktop, a laptop, a smartphone, or a tablet while on the bus, at the doctor's office, during a run, at a coffee shop, and even when we're on vacation.
Welcome to the new world of work. It is the way most organizations are working, and it is the way the modern and younger workers expect to work.
As more companies embrace the opportunities presented by cloud and mobile computing, they also take on new risks. One of the most significant challenges in today's computing environment is ensuring security, privacy, and compliance. In fact, there is a consensus in the business world that there are only two types of organizations: those that know they've been hacked, and those that don't know they've been hacked. By the end of 2017, more than 28,800 data breaches had occurred globally with over 19 billion - again, that's billion - records exposed stemming from over 20,000 types of vulnerabilities.
The security issues we know today are not isolated to Fortune 500 companies. The reality is that small and medium-sized businesses (SMBs) are just as vulnerable to attacks. In fact, SMBs face more serious risks for a variety of reasons, including the scarcity of security talent in the industry; their inability to identify, assess, and mitigate security risks; the lack of familiarity with security best practices and the overall threat landscape; and confusion from the multitude of security solutions from which to choose.
One might conclude that the best defense against cyberattacks is to have a computing environment that's not in the cloud (rather on-premises, as technologists call it), and is protected by firewalls using the best encryption technology and running the latest anti-virus software. The problem with this approach is that all it takes to start a breach is one simple human error, such as clicking on a link or opening an attachment in an email. The reality is that as software and platforms are getting better at combatting cyberthreats, attackers are shifting their focus to the human element to hack the users through social engineering.
But what is social engineering? Consider the following real-life example:
Cloud611, a Microsoft Cloud Solutions Provider, resells Office 365 licenses to SMBs. Recently, a customer forwarded an email to Cloud611 asking why the company was warning him that his account could be deleted or closed. The exact language of the email read:
- Your account will be disconnected from sending or receiving mails from other users because you failed to resolve errors on your mail.
- Confirm your activities here.
- Regards,
- The Mail Team
Under the guise of being a solutions provider, the attacker tried to use a scareware tactic to trick the customer into clicking on the word "here," which is hyperlinked to a site that then downloads and installs malware on his computer. Fortunately, the customer did not completely fall for it, and the attacker failed - this time.
Social engineering comes in many forms: phishing, spear phishing, scareware, and more. These tactics all attempt to psychologically manipulate a user into divulging information or influence an individual to perform a specific action. The end game is usually to gain access to the computing environment to do harm.
The good news in this story is that the customer did not have to invest thousands of dollars to implement an end-to-end security solution nor hire an expensive security expert to protect his small business. For a mere $2 per user per month, the customer added Advanced Threat Protection (ATP) to his Office 365 Business Premium license to secure his mailboxes, files, online storage, and even his Office applications against advanced threats.
This chapter is for those of you who have a keen interest in understanding the basic principles of cloud computing with the intent of utilizing the benefits of the cloud to run your business in a way that increases employee productivity while keeping your environment secure. It covers the various services offered within Office 365, including what they cost and the latest security and privacy features built into the services. With the knowledge you gain from this chapter, you will be better prepared run a more secure, productive organization.
Understanding Cloud Computing
The "cloud" is a metaphor for the "Internet." In simplistic terms, cloud computing means that your applications or software, data, and computing needs are accessed, stored, and occur over the Internet "in the cloud."
If you've had a Facebook account, played online games, shared files with Dropbox, or shared a photo of your new haircut on Instagram, you've been computing in the cloud. You're using the services of an entity to store your data, which you can then access and transfer over the Internet. Imagine what life would be like if you wanted to share photos of your lunch with all of your 500 friends and cloud computing didn't exist.
For businesses and other organizations, cloud computing is about outsourcing typical information technology (IT) department tasks to a cloud service provider who has the experience, capability, and scalability to meet business demands at a cost that makes sense.
For example, let's look at a small business such as a boutique accounting firm that services over 200 businesses locally. Email is a critical communication platform for the firm. To be productive, the firm decided to hire an independent IT consultant to install an email server in the office. The deal was that the IT consultant would train a couple of people from the firm to do basic server administration. Beyond the basics, the consultant would be available to remotely access the server to troubleshoot or show up in person if something breaks.
Like most horror stories we've heard from people who try to manage their own servers without a highly trained IT staff, the situation turned out to be a nightmare for this firm. The email server went down during tax season when the IT consultant wasn't immediately available. In an industry where highly sensitive data is exchanged and customer trust is paramount, you can imagine the stress the company owner experienced dealing with email that contained sensitive attachments ending up in a black hole, irate customers who didn't get a response to their time-sensitive requests, and lost opportunities beyond quantifying.
Cloud computing for members of this firm meant migrating their email to Office 365. So instead of running their own email server, fixing it, patching it, hounding their IT consultant, and dreading another doomsday, they simply paid a monthly subscription to Microsoft, which is the entity responsible for ensuring the services are always up and running. They also know that email will not be lost, because they don't rely on one piece of equipment getting dusty in a corner of their office break room. Instead, they're taking advantage of Microsoft's huge and sophisticated data centers to replicate and backup data on a regular basis.
The basic premise of cloud computing is that organizations of any size can take advantage of the reduced cost of using computing, networking, and storage resources delivered via the Internet while at the same time minimizing the burden of managing those complicated resources.
Breaking down the cloud deployment models
Not all organizations are created equal. For example, a financial organization has different requirements than a nonprofit organization or a government organization. To address these varied needs, cloud service providers offer different deployment options.
Public cloud
The type of deployment model the boutique accounting firm used in the previous section is referred to as the public cloud, where the cloud computing service is owned by a provider (Microsoft) and offers the highest level of efficiency in a shared but secure environment. The firm did not own or maintain any hardware. It accessed and used the email and other services from the public cloud on a subscription model. In cloud computing-speak, this firm is referred to as a tenant in a public cloud. There are multiple tenants in a public cloud. Each tenant is isolated from the other with security boundaries so there is no data leakage. As illustrated in Figure 1-1, Enterprises A, B, and C can access the same application services in a public cloud, but their data is isolated from each other.
FIGURE 1-1: Cloud computing deployment models.
Using a public cloud is like using electricity. You only pay for what you use. And just like electricity, you don't need to maintain the power plants - the provider does that. You only maintain the devices using the electricity. In this example, you don't need...
