Michael Calvin, Chief Technology Officer at Kinectify, takes a look at some of the most recent cybersecurity breaches that have made the news and outlines how cloud technology can support betting and gaming companies to combat these threats.
Considering the recent gaming industry cybersecurity breaches, I have been reflecting on how these incidents could have occurred, how they were able to impact the enterprises so completely, and what could have been done differently to mitigate these risks. For me, the answer continues to be leveraging cloud services.
The importance of modernizing our hardware and software infrastructure is critical to our survival. This year alone three of the largest gaming brands in North America were severely impacted by ransomware attacks with two of them being crippled for weeks. The fallout of MGM Resorts International and Gateway Casinos (Canada) are yet to be fully assessed but may approach $1 billion.
Why are casinos suddenly a target?
Criminals focus on industries that are “soft targets” and high reward, and the outdated technology infrastructure rampant in our industry makes us an easy target for cyberattacks. Most gaming organizations and their vendors manage the majority of their technology infrastructure on-premise. This leads to these organizations becoming easy targets because they are not able to keep up with technical trends and leverage best-in-class systems for securing their environments. They are instead limited by both what they can afford to purchase and the skillset of the team maintaining that equipment.
Keeping pace with the latest software and hardware firewalls, routers, switches, IPS/IDS systems, and other security infrastructure is expensive and requires near full-time focus. This is an impossible task for a gaming organization whose resources and focus are not on the latest and greatest hardware, software, and security professionals, but rather the entertainment they provide to patrons. Typically, organizations do not rotate their infrastructure for 10+ years, and often important server updates are left on the backlog due to resource constraints, creating an environment that is easily exploitable by ransomware attacks and other malicious software.
Gaming suppliers are no exception. Many leading suppliers have not updated their codebase since the proliferation of the internet, yes you read that right, the internet. Many suppliers run their systems on TCL, Pascal, and other pre-web code bases from the 1970s to 1980s and have irresponsibly refused to sunset those systems and invest in modernization. Outdated code from before the internet requires their systems to run on-premise putting the casino and its patrons at security risk.
Pre-internet software, and even software created in the last 15 years, lacks appropriate security controls to address today’s threats. They cannot support TLS 1.2, AES 256-bit encryption, and other industry standards for security and cryptography because those capabilities have not been built in Pascal, Fortran, TCL, and other legacy languages. These legacy software vendors often say their systems are not at risk because they live “behind the firewalls” on the customer’s network. If the latest breaches have shown us anything, it is that internal, “behind the firewall” systems need to have just as much, if not more, protection than systems that are cloud hosted.
Regulators are not blameless in this situation as well. Some states require data to remain within the state, which in some cases limits casinos from utilizing more secure sites such as Microsoft and Amazon data centers. Thinking your data is more secure or that you have better control over it because it is physically close is a severe fallacy. Leading data centers’ entire core competency and focus is securing data and they invest billions into technology, equipment, and human resources fully dedicated to this end. No gaming organization or supplier can come close to securing data like Microsoft Azure and Amazon Web Services.
The status quo is unsustainable and irresponsible. Cyber criminals now know this industry is a soft target and they will continue to attack. The more sophisticated actors will sell their technology services to smaller groups and the attacks will continue to proliferate. Gaming organizations who refuse to modernize will be breached, their patron data will be sold on the dark web, and their operations will be disrupted. Operators and suppliers alike must modernize.
Benefits of the Cloud
Utilizing leading data centers such as Microsoft Azure and Amazon AWS provides numerous benefits including the following:
Concentration Risk / Business Continuity
Utilizing data centers decreases concentration risk and increases the ability to continue to operate core systems should a breach occur. When a gaming organization does not use cloud systems, and instead manages their technology infrastructure on-site, they have a limited amount of machines and many of their services share the same hardware and are often networked together. This means if the hardware is breached or compromised, a wide range of systems go down.
Utilizing data centers provides a near unlimited number of machines allowing services to be partitioned and segregated thereby limiting exposure should a breach occur. For example, your business productivity suites (Office 365, GSuite, etc.) are completely segregated from your hosted systems, and if one is compromised, it is unlikely for it to spread to those separate systems.
Microsoft Azure has over 8,500 security professionals fully dedicated to securing their data centers and Amazon is similar. These organizations employ the top security minds, develop, and procure the latest technologies, and keep their hardware continuously updated. The core competency of the data center business is security and processing power. They invest billions annually into security infrastructure and personnel and they lead the way in new technologies to combat security threats.
In addition to providing state-of-the-art security out of the box, gaming organizations get the benefit of leading-edge, high-performance solutions at the click of a button. If you need the latest GPU systems to run machine learning workloads, you can deploy those in minutes. Do you want to upgrade to the latest IPS/IDS system to detect threats in your environment, its available with a few clicks. Compare that to on-premise solutions. Even after adding newly provisioned hardware to your data centers, they are most likely operating at near capacity. If you wanted to experiment with a big new data workload, for example, it could take weeks or months to get new machines capable of doing that work, compared to minutes in a cloud environment.
The cloud provides real elastic horizontal scalability, meaning that you can scale down just as easily as scaling up. In an on-premise environment, this simply does not exist. Even if you deprovision virtual machines elastically, you still have the same number of physical resources running. There is no such thing as scaling down in on-premise environments. Couple that with machines that are overprovisioned (allocated more resources than they need) because there is less visibility to the end users of resource consumption, and costs rise quickly. A cycle of overprovisioning of virtual resources necessitating physical hardware purchases is created and it becomes impossible to break out of that cycle.
Additionally, I can deploy just what I need, without having to provision a complex set of hardware and software. For example, in my environment, if I want one virtual machine, I will pay around $80 for the system resources I have requested. In an on-premise environment, if I just want 1 virtual machine, I need to provision a physical machine with at least the same number of resources I am wanting to use, a virtualization system (called a hypervisor) to create and manage virtual machines, networking infrastructure to connect to that virtual machine, shared storage solutions, and many other things. It might seem like provisioning these resources becomes more economical if I am going to host a lot of systems, but it does not actually turn out that way.
Finally, in the cloud you shift Capital Expenses to Operational Expenses. This provides simpler accounting, more control over your budget, and it often benefits tax situations. It means less forecasting requirements (you can operate off actuals rather than projections), and more accurate budgeting for your systems.
The recent gaming industry cybersecurity events that have occurred over the last couple of weeks serve as a stark wake up call for all stakeholders responsible for the systems that operate their organizational infrastructure. They highlight the vulnerabilities caused by legacy systems hosted in legacy ways. While cloud-based systems can certainly be vulnerable to these types of attacks as well, the tools we have in the cloud to detect, prevent and minimize harm are far greater than the tools we can ever hope to have on premise.
In today’s complex and ever-evolving threat landscape, the question is not whether cloud-based solutions are infallible, but rather which approach equips us with the most robust set of tools to combat these risks. If your organization’s core competency is not in managing and securing hosted infrastructure, the cloud is not just an option; it is an imperative. The stakes are too high, and the risks too great, to do otherwise.
By leveraging the cloud, we are not just adopting new technology; we’re aligning ourselves with a paradigm that prioritizes security, scalability, and operational excellence. And in a world where cyber threats are not a matter of “if” but “when,” that is a paradigm we can’t afford to ignore.