Pivoting Customers' Mindsets For Cloud Security

Cloud is a major component in digital transformation, yet many companies are still stuck in old ways of thinking and, as a result, make common mistakes. When these businesses increase cloud capability and cloud velocity, they often create new risk areas outside their familiarity. 

Application developers have been quick to adopt cloud computing over the last decade due to the growing need for speed when coding, which sluggish digital infrastructures fail to support, especially in the move from development to testing to production. As Agile and DevOps methodologies become mainstream, businesses must view the cloud as the future.

The concerns, challenges, and risks of using cloud computing differ from legacy on-premise environments, which many businesses still use. On-premise tasks do not automatically transport to the cloud, so companies must continuously evolve and adapt. There are also risks involved when relying on a singular provider when outages occur, such as when customers were left helpless and locked in when Amazon Web Services experienced an incident in December 2021. Cloud providers secure servers and infrastructures, but many breaches occur because of misconfiguration, poor architecture, and complexity in hybrid and multi-cloud environments. The responsibility for these items resides with the client and not necessarily the cloud service provider.

Managing Cyber Risks

Cloud Security Alliance - the world's leading organisation dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment - highlighted the top 11 concerns that CISOs, CTOs, and CIOs have around cloud consumption. They are known as the Egregious 11:

1.    Data breach
2.    Misconfiguration and inadequate change control
3.    Lack of cloud security architecture and strategy
4.    Insufficient identity, access, key management
5.    Account hijacking
6.    Insider threat
7.    Insecure interfaces and APIs
8.    Weak control plane
9.    Metastructure and applistructure failures
10.  Limited cloud usage visibility
11.  Abuse and nefarious use of cloud services

To meet executive goals, companies often wrapper their data centre's current capabilities and try to lift and shift, and transport that into a cloud ecosystem. There are many advantages and disadvantages to that, which organisations need to understand.

This can often be riddled with some legacy, technical debt that is unsuitable for the cloud as it increases cyber risk.

Decision makers must understand what their needs are from an engineering velocity perspective and be able to architect that to design security compliance capabilities accurately upfront in the system development lifecycle.

Many organisations are developing a multi-cloud, multi-year strategy, leveraging IaaS (Infrastructure-as-a-Service), SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) in addition to Infrastructure-as-Code. While this approach provides diversification benefits, the cyber risks become more complex because ascertaining identities to provide access to the relevant data or capability becomes harder.

The 'Egregious 11' correctly pinpoints that businesses today lack a clear cloud security architecture or identity strategy. Identity can refer to people, machines, and solutions – the key to success is efficiently and safely ensuring that all relevant identities can access resources and that there is a plan of action when a bad actor takes over. They can infiltrate cloud systems by targeting the identification gaps. As application developers work to meet deadlines, they often neglect their security and compliance colleagues that are scrambling to protect their digital footprint across several clouds. Organisations also must move to a "shift left" culture, building security into the application development lifecycle. As cloud complexity and identities rise, organisations struggle to manage cloud configuration and monitoring effectively. 

Growing Cloud Visibility

Whilst cloud migration promises to cut costs, increase speed, and enhance operational performance, the financial, reputational, and material fallout of cyber vulnerabilities that result from poorly executed clouds equally dwarf business leaders. A lack of foresight over identity governance and access in a fragmented cloud environment can cause irreparable damage to a business.

Intra-cloud resilience is made possible when there is full visibility and transparency in the cloud; only then can organisations establish guardrails or swim lanes for controlling how data can be accessed and by whom. Cybersecurity must be embedded into a company's cloud roadmap.

Security teams require clear graphical visualisations of how data and identities are intertwined to ensure maturity levels can be baselined and enforced. This helps organisations to prioritise identity, data classification, and entitlement (access) enforcement as baseline controls for their multi-cloud security strategy. 

Customers, whether they are SMEs or large enterprises, are going to use more than one cloud, which means they must have a clear view of what 'multi-cloud' looks like and secure access to the right architecture and strategy to gain the maximum benefits of cloud: without compromising operational and cyber resilience.

Businesses need to remember to 'shift left' and design security upfront into the process, as cyber criminals rely on corporate leaders to move fast and overlook the basics. 

JD Sherry is Client Partner at ISTARI

You Might Also Read:

Cybersecurity Essentials For Cloud Environments:

 

« Modernising SecOps: It’s Time To Unpick The Complex Matrix
Blockchain Is The New IoT Standard »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Veracode

Veracode

Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications.

BaseN

BaseN

BaseN is a full stack IoT Operator. We control the full value chain in order to provide ultimate scalability, fault tolerance and security to our customers.

Siscon

Siscon

Siscon delivers tailor-made compliance solutions that are based on the customer's specific wishes and reality and then supplement with many years of experience in the field.

Logsign

Logsign

Logsign is a Security Orchestration, Automation and Response (SOAR) platform with next-gen Security Information and Event Management (SIEM) solution.

Appvisory

Appvisory

Appvisory by MediaTest Digital is the leading Mobile Application Management-Software in Europe and enables enterprises to work secure on smartphones and tablets.

Windscribe

Windscribe

Windscribe is a Virtual Private Network services provider offering secure encrypted access to the internet.

Lumen Technologies

Lumen Technologies

Lumen is an enterprise technology platform that enables companies to capitalize on emerging applications and power the 4th Industrial Revolution (4IR).

FRSecure

FRSecure

FRSecure is a full-service information security management company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction.

Garner Products

Garner Products

Garner design, manufacture, and sell equipment that delivers complete, permanent, and verifiable data elimination.

Monster Jobs

Monster Jobs

Monster is a global leader in connecting people to jobs, wherever they are. Monster covers all job sectors including cybersecurity in locations around the world.

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF) of Armenia is one of the largest technology business incubators and IT development agencies in the region.

MicroSec

MicroSec

MicroSec is a company specializing in IoT security. We focus on bringing enterprise grade security to IoT and embedded systems.

Varen Technologies

Varen Technologies

Varen Technologies is an innovative consulting partner with highly respected cyber security, analytics, Agile Software Development and IT/maintenance expertise.

Sotero

Sotero

Sotero is the first cloud-native, zero trust data security platform that consolidates your entire security stack into one easy-to-manage environment.

IONOS

IONOS

IONOS is a leading provider of cloud infrastructure, cloud services, and hosting with more than 8.5 million customers contracts.

Venticento

Venticento

Venticento is an IT company specialized in consulting and network support and assistance for companies that need to make their business processes more effective.