Like many other industries, Ship Operators, Charterers & Brokers control sensitive commercial information that must be kept secure. After reading our Cloud introduction you may have learnt, or have already known, that anything that is cloud is stored on and/or accessed through a third party such as Amazon, Microsoft, IBM & Google. For example, when using Cloud e-mail clients (i.e. Gmail), e-mails are hosted on the provider’s servers and made accessible over the internet. The most common concern with using Cloud technology for shipping companies is “Is my sensitive data secure?”.
There are some security risks when using Cloud technologies, but the general conceptions and levels of fear surrounding it are largely unfounded, particularly when compared with a self-managed, private server option. These concerns can be largely attributed to some loss of control of data flows from operating on servers we no longer wholly own. However, control and security are not synonymous. When boarding a plane we don’t immediately rush into the cock-pit and demand we’re the ones to steer – at certain times it is in our greater interest, in terms of security, to release some control of a situation. It may seem a wild comparison, but the premise is very similar, planes are piloted by experts who have dedicated their entire career to mastering the art – we trust them to know more about flying a plane than we do. Amazon, Microsoft, Google and IBM are experts at technology & cyber security. Their combined pool of knowledge around cloud computing, the concept which they pioneered, is so comprehensive that it is hard to suggest our in-house technicians can compete with the resources at their disposal.
Gartner, one of the world’s leading information technology research and advisory companies, predicts that ‘through 2020 public cloud infrastructure workloads will suffer at least 60% fewer security incidents than those in traditional data centres’ – traditional data centres being solely our own private servers, the traditional way of managing IT. This makes sense; these companies invest enormous amounts into both physical and cyber security – it is mission critical to their companies. Given the services they provide they also face tougher standards as their data centres are independently audited and have to adhere to standards such as SOC 2 Type II.
Whilst most high-profile attacks originate outside the organisation, the vulnerabilities in the network that allow cyber attackers a point of entry almost overwhelmingly originate from an internal source, a trusted insider. Some of these vulnerabilities are a result of malicious intent, but the vast majority are created inadvertently - falling prey to phishing attacks, failing to patch known vulnerabilities, or even a run of the mill task like taking a work laptop home and operating on a less secure network.
The most notorious hacks are rarely caused by criminal masterminds, but instead by these internal human errors. Even the attack on the Pentagon of 2015, compromising over 4,000 military and civilian personnel, was most likely the result of a cleverly disguised spear phishing email which should not have been interacted with.
As clarification, phishing attacks are attempts to trick you into giving out personal information of your own accord, you may believe it is the bank contacting you and supply your bank details, and are very general in nature – often sent out en masse. Spear phishing attacks are highly targeted, and perhaps highly personalised; attackers may know you use, and have recently been in contact with, a certain bank for a certain service – they may adopt a more convincing disguise.
Marine shipping providers have also been targeted with spear-phishing campaigns, attackers used spoofed e-mails targeting a single company to gain secure access to confidential data. Another incident saw a major fuel supplier fall victim to an $18m e-mail scam.
Patching is the technical term used for running an IT update that removes a hole in security. One of the issues with non-cloud software is that these updates can take longer to patch as on-premise IT support is needed to deal with the issues.
The recent UK NHS attack was caused by a known vulnerability that had not had the time to be ‘patched’. The recent attack on Maersk mirrored the NHS incident - at least one computer at Maersk was running on an unpatched system. This was affected by the ransomware Petra, and the virus then spread to their local network.
Consider this - even a simple upgrade to the next Microsoft Office typically takes years for a organisation roll out. These more complex security updates take longer, and thus can leave these vulnerabilities open longer. Compare this roll out time with cloud - Netflix famously deploys multiple times every minutes to roll out new features and fix bugs.
Let’s bring this into context of IT processes used in the shipping industry. Using Ship Operators as an example, sensitive commercial data such as fixtures and open vessels are often recorded manually, perhaps in Excel, and passed between colleagues via e-mail.
Even when using software, traditional software providers tend to offer ‘desktop software’ - a locally hosted program, as opposed to a Cloud solution. Modern software tends to be cloud-based. At Shipamax data is centralised and hosted on our systems – using AWS as our Cloud infrastructure provider. Amazon’s systems are protected by dedicated specialist IT security teams most company could not afford and are even used by the US Department of Defense. Equally as important, if any of our user’s hardware were to be lost or stolen the important data is not stored locally on their hard-drive and can’t be accessed.
Ultimately the question of whether our data is actually safer in the cloud is a direct comparison of the dedicated resources of your potential cloud provider compared to that of your internal IT department. Security is one of the many factors contributing to the rapid growth of Cloud hosting. Even understandably cautious sectors, such as Financial Institutions that have been reluctant to incorporate Cloud in the past, are gradually beginning to trust it. These institutions have to maintain the integrity of customer data for millions of people, and they are choosing Cloud to do this. Just over a year ago, US bank Capital One committed to reducing its own data centres from eight to three whilst moving a lot of its processes and product development to AWS.
No, not all Cloud providers are equal. Some Cloud technology companies use their own data servers and centres as opposed to the infrastructure of those that are specialists. When choosing an infrastructure or SaaS provider make sure to be stringent with the questions you ask around security - will they encrypt all data transmissions? Do they conduct penetration tests? Where do the servers physically reside? Who, personally, will be able to see your data and, finally, what is the termination process if you aren’t satisfied?