We speak to Rupert Taylor-Price, founder and CEO of Vault Cloud, about Australia’s recent rise in cyber attacks and how organisations can protect against sophisticated malicious actors.
PM Scott Morrison’s address to the nation made it clear that cyber attacks are on the rise and will have a growing influence on our business interactions and livelihood in the coming years. Rupert Taylor–Price, founder and CEO of Vault Cloud, has years of experience delivering critical infrastructure-grade cloud services to government and commercial organisations in order to make them more agile and keep their data onshore. Here, he offers advice for organisations looking to better protect their sensitive assets.
How do the most recent cyber attacks on Australia factor into the work that you do at Vault?
For many of us in the sector, it was perversely exciting that the Prime Minister gave so much focus to this issue, because it’s certainly something we feel has been an under-invested area. The fact that it’s becoming a first-order issue is very exciting for our industry.
At Vault, for example, we are subject to a number of attacks (unsuccessful) on an ongoing basis, and those attacks are not just automated or technical attacks. One of the things we’ve noticed more recently is new staff members being targeted potentially before they’re fully aware of all the company-specific processes and procedures.
I think one of the interesting things around the recent national cyber attacks is just how specific a number of those attacks were on specific technology vendors. One of the lessons for me there was just how important diversity of technology is. If everything is reliant on one technology, then when that is compromised it creates an aggregated risk for the system as a whole. So we really do need to ensure we have diversity in the tools and systems we use.
There’s lots of conversation about what’s the best choice for an organisation: public, private or community cloud. What are your thoughts on the differences and where they are best applied, depending on an organisation’s risk appetite?
It’s contextual. It comes down to the data, the mission and what you’re trying to achieve.
Both public and private cloud models have advantages. Obviously, the cost-per-compute outcome is typically quite high on a private cloud, and the number of features you have would be smaller.
With the public cloud, its accessibility is very high which creates a whole class of security risks. Then also, if you have niche requirements, your prospects of getting a public cloud provider to change their global business model to meet your domestic business requirements is quite limited.
There are pros and cons to each, and that’s really where the community cloud formed from. So a community cloud attempts to have the scale of a public cloud as well as the adaptability of a private cloud. At Vault, we run two of these – we run a government community cloud and a critical-infrastructure community cloud. And we really target customising those clouds around the specific needs of their communities.
Focusing on greater security can be a rabbit hole for organisations trying to figure out what’s appropriate for their security posture. So for organisations looking to make the jump to cloud infrastructure, what advice do you give them?
Security is not linear. You don’t increase security in a linear fashion. The way that government may choose to secure a piece of infrastructure – and the way that something else is made – may both be secure, but they may do it in different ways.
We deal with the top end of town at Vault, so what we’ve done is taken very substantial government security requirements and built them into a government community cloud. I could go back to the start of the business eight years ago, and that’s what we built.
We were getting a lot of enquiries from the private sector, who at that time we didn’t service – this included some of the major banks. Then we realised there was actually a demand for that level of security within some parts of the commercial sector. So what we’ve done as a company is take that high level of security and apply it to what we’ve then launched as the critical infrastructure cloud.
I don’t think every organisation needs that level of security. Sometimes people think because we do high-grade security that we’re advocating that everyone should use the highest grade. What you’ve really got to look at is what you’re trying to achieve and whether that grade of security is required. Because to be transparent, if you operate at a high-grade level of security, it will slow down your business. There are trade-offs and compromises, and there’s no silver bullet. It takes time and investment to operate at that level.
Can you tell us a bit about what data sovereignty actually means?
Data sovereignty is a hot topic, and it won’t mean the same thing to everyone. If you look at the Information and Privacy Commissioner’s survey from 2017, 93% of Australians didn’t want data going offshore. So data sovereignty is clearly a very important subject for people.
For some of the work we’ve done with government organisations, we’ve categorised it into three areas. First is physical data sovereignty, which covers where the data is physically located (within your building, state, country, region or the globe).
Then there’s operational sovereignty, which covers where the operational staff, systems and processes are. Because your data primarily is within one location. For instance, you could have a cloud provider like Alibaba, which has a data centre in Sydney and they run a cloud region from that. By some definitions of sovereignty, you could argue that Alibaba is actually a sovereign service to Australia. But when it comes to all of the support and maintenance, if you have an issue with one of the compute nodes, for example, then someone is ultimately going to log in and look at what went wrong. So they’ve got to look at how your system and your data went through that CPU and ultimately caused a fatal error. They then start to investigate what’s in the caches, what’s in the RAM, what’s in the storage – this is just part of a diagnosis process to see what’s gone wrong. Now, if that diagnosis process happens in China or any other country, we would argue that it’s non-operationally sovereign.
The third type of sovereignty, which is by far the most complex and I think under-discussed, is legal sovereignty. Just because your data resides physically within your country, that doesn’t necessarily mean that your legal system applies to that data. And of course, many services are now globally replicated and distributed. So there’s a challenge where the legal jurisdiction of where your data resides is potentially unclear, or even belongs to multiple parties. People then immediately think of the CLOUD Act, or the National Security Letters provision of the Patriot Act, but there’s a bunch of similar legislation in China and other countries.
I think the most complex part of legal sovereignty is actually around the future laws. Typically when we choose to use a cloud service it takes us a long time to migrate off that service, and when we eventually do there’s no guarantee that all of our data will be removed after leaving. In some cases, the provider’s storage replication may mean it’s technically impossible for them to remove a single customer’s data entirely from their infrastructure.
That means we’ve got organisations that have perpetual access to some aspects of your data, and those are governed under another country’s legislation that may change tomorrow. The biggest challenge is what happens if a country changes its laws for the future.
Due to the current situation and the ongoing hacks, there are lots of organisations that are concerned and looking for advice. So what one piece of general advice would you give them?
Prioritise the investment you need to make – that means making sure your board and your C-suite have the right level of awareness and sensitivity of what you’re trying to achieve and why. Again, it’s about understanding what the risks are and how much time, money and effort you’re willing to invest in addressing those risks.