Pivoting Customers' Mindsets For Cloud Security

Cloud is a major component in digital transformation, yet many companies are still stuck in old ways of thinking and, as a result, make common mistakes. When these businesses increase cloud capability and cloud velocity, they often create new risk areas outside their familiarity. 

Application developers have been quick to adopt cloud computing over the last decade due to the growing need for speed when coding, which sluggish digital infrastructures fail to support, especially in the move from development to testing to production. As Agile and DevOps methodologies become mainstream, businesses must view the cloud as the future.

The concerns, challenges, and risks of using cloud computing differ from legacy on-premise environments, which many businesses still use. On-premise tasks do not automatically transport to the cloud, so companies must continuously evolve and adapt. There are also risks involved when relying on a singular provider when outages occur, such as when customers were left helpless and locked in when Amazon Web Services experienced an incident in December 2021. Cloud providers secure servers and infrastructures, but many breaches occur because of misconfiguration, poor architecture, and complexity in hybrid and multi-cloud environments. The responsibility for these items resides with the client and not necessarily the cloud service provider.

Managing Cyber Risks

Cloud Security Alliance - the world's leading organisation dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment - highlighted the top 11 concerns that CISOs, CTOs, and CIOs have around cloud consumption. They are known as the Egregious 11:

1.    Data breach
2.    Misconfiguration and inadequate change control
3.    Lack of cloud security architecture and strategy
4.    Insufficient identity, access, key management
5.    Account hijacking
6.    Insider threat
7.    Insecure interfaces and APIs
8.    Weak control plane
9.    Metastructure and applistructure failures
10.  Limited cloud usage visibility
11.  Abuse and nefarious use of cloud services

To meet executive goals, companies often wrapper their data centre's current capabilities and try to lift and shift, and transport that into a cloud ecosystem. There are many advantages and disadvantages to that, which organisations need to understand.

This can often be riddled with some legacy, technical debt that is unsuitable for the cloud as it increases cyber risk.

Decision makers must understand what their needs are from an engineering velocity perspective and be able to architect that to design security compliance capabilities accurately upfront in the system development lifecycle.

Many organisations are developing a multi-cloud, multi-year strategy, leveraging IaaS (Infrastructure-as-a-Service), SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) in addition to Infrastructure-as-Code. While this approach provides diversification benefits, the cyber risks become more complex because ascertaining identities to provide access to the relevant data or capability becomes harder.

The 'Egregious 11' correctly pinpoints that businesses today lack a clear cloud security architecture or identity strategy. Identity can refer to people, machines, and solutions – the key to success is efficiently and safely ensuring that all relevant identities can access resources and that there is a plan of action when a bad actor takes over. They can infiltrate cloud systems by targeting the identification gaps. As application developers work to meet deadlines, they often neglect their security and compliance colleagues that are scrambling to protect their digital footprint across several clouds. Organisations also must move to a "shift left" culture, building security into the application development lifecycle. As cloud complexity and identities rise, organisations struggle to manage cloud configuration and monitoring effectively. 

Growing Cloud Visibility

Whilst cloud migration promises to cut costs, increase speed, and enhance operational performance, the financial, reputational, and material fallout of cyber vulnerabilities that result from poorly executed clouds equally dwarf business leaders. A lack of foresight over identity governance and access in a fragmented cloud environment can cause irreparable damage to a business.

Intra-cloud resilience is made possible when there is full visibility and transparency in the cloud; only then can organisations establish guardrails or swim lanes for controlling how data can be accessed and by whom. Cybersecurity must be embedded into a company's cloud roadmap.

Security teams require clear graphical visualisations of how data and identities are intertwined to ensure maturity levels can be baselined and enforced. This helps organisations to prioritise identity, data classification, and entitlement (access) enforcement as baseline controls for their multi-cloud security strategy. 

Customers, whether they are SMEs or large enterprises, are going to use more than one cloud, which means they must have a clear view of what 'multi-cloud' looks like and secure access to the right architecture and strategy to gain the maximum benefits of cloud: without compromising operational and cyber resilience.

Businesses need to remember to 'shift left' and design security upfront into the process, as cyber criminals rely on corporate leaders to move fast and overlook the basics. 

JD Sherry is Client Partner at ISTARI

You Might Also Read:

Cybersecurity Essentials For Cloud Environments:

 

« Modernising SecOps: It’s Time To Unpick The Complex Matrix
Blockchain Is The New IoT Standard »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

Aujas Cybersecurity

Aujas Cybersecurity

Aujas has deep expertise and capabilities in Identity and Access Management, Risk Advisory, Security Verification, Security Engineering, & Managed Detection and Response services.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

Threatspan

Threatspan

Threatspan is a cybersecurity firm helping shipping and maritime enterprises achieve and maintain nautical resilience in an age of increasing cyber threats.

Aspisec

Aspisec

Aspisec is a cybersecurity company specialized in Firmware Security and Critical Infrastructure Protection.

3Elos

3Elos

3Elos operates in the Information Technology market with a focus on research, development, consulting, marketing and implementation of Information Security solutions.

ENLIGHTENi

ENLIGHTENi

ENLIGHTENi are the platform to develop next-gen talent in Technology, Risk, and Cybersecurity. Our mission is to develop next-gen talent through challenge-based learning and team collaboration.

M2SYS

M2SYS

M2SYS is a worldwide leader in identification and authentication solutions.

Intrinium

Intrinium

Intrinium is an Information Technology and Security Solutions company, providing comprehensive consulting and managed services to businesses of all sizes.

INFRA Security & Vulnerability Scanner

INFRA Security & Vulnerability Scanner

INFRA is a powerful platform with an easy interface for any kind of Ethical Hacking, from corporate monitoring and VAPT (vulnerability assessments and penetration testing) to military intelligence.

Boxphish

Boxphish

Boxphish provides a proven solution to reduce Human Error and Cyber Human Risk via automated learning journeys and intelligent phishing simulations.

Splashtop

Splashtop

Splashtop’s cloud-based, secure, and easily managed remote access solution is increasingly replacing legacy approaches such as virtual private networks.

The Cyber Scheme

The Cyber Scheme

The Cyber Scheme provides NCSC certified and assured assessments, training and career support for security testers & technical cyber professionals.

Forward Networks

Forward Networks

Forward Networks - transforming networks to be more reliable, agile, and secure.

True Corporation

True Corporation

True Corporation is Thailand’s leading Telecom-Tech company, empowering people and businesses with connected solutions that advance society sustainably.