Pivoting Customers' Mindsets For Cloud Security

Cloud is a major component in digital transformation, yet many companies are still stuck in old ways of thinking and, as a result, make common mistakes. When these businesses increase cloud capability and cloud velocity, they often create new risk areas outside their familiarity. 

Application developers have been quick to adopt cloud computing over the last decade due to the growing need for speed when coding, which sluggish digital infrastructures fail to support, especially in the move from development to testing to production. As Agile and DevOps methodologies become mainstream, businesses must view the cloud as the future.

The concerns, challenges, and risks of using cloud computing differ from legacy on-premise environments, which many businesses still use. On-premise tasks do not automatically transport to the cloud, so companies must continuously evolve and adapt. There are also risks involved when relying on a singular provider when outages occur, such as when customers were left helpless and locked in when Amazon Web Services experienced an incident in December 2021. Cloud providers secure servers and infrastructures, but many breaches occur because of misconfiguration, poor architecture, and complexity in hybrid and multi-cloud environments. The responsibility for these items resides with the client and not necessarily the cloud service provider.

Managing Cyber Risks

Cloud Security Alliance - the world's leading organisation dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment - highlighted the top 11 concerns that CISOs, CTOs, and CIOs have around cloud consumption. They are known as the Egregious 11:

1.    Data breach
2.    Misconfiguration and inadequate change control
3.    Lack of cloud security architecture and strategy
4.    Insufficient identity, access, key management
5.    Account hijacking
6.    Insider threat
7.    Insecure interfaces and APIs
8.    Weak control plane
9.    Metastructure and applistructure failures
10.  Limited cloud usage visibility
11.  Abuse and nefarious use of cloud services

To meet executive goals, companies often wrapper their data centre's current capabilities and try to lift and shift, and transport that into a cloud ecosystem. There are many advantages and disadvantages to that, which organisations need to understand.

This can often be riddled with some legacy, technical debt that is unsuitable for the cloud as it increases cyber risk.

Decision makers must understand what their needs are from an engineering velocity perspective and be able to architect that to design security compliance capabilities accurately upfront in the system development lifecycle.

Many organisations are developing a multi-cloud, multi-year strategy, leveraging IaaS (Infrastructure-as-a-Service), SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) in addition to Infrastructure-as-Code. While this approach provides diversification benefits, the cyber risks become more complex because ascertaining identities to provide access to the relevant data or capability becomes harder.

The 'Egregious 11' correctly pinpoints that businesses today lack a clear cloud security architecture or identity strategy. Identity can refer to people, machines, and solutions – the key to success is efficiently and safely ensuring that all relevant identities can access resources and that there is a plan of action when a bad actor takes over. They can infiltrate cloud systems by targeting the identification gaps. As application developers work to meet deadlines, they often neglect their security and compliance colleagues that are scrambling to protect their digital footprint across several clouds. Organisations also must move to a "shift left" culture, building security into the application development lifecycle. As cloud complexity and identities rise, organisations struggle to manage cloud configuration and monitoring effectively. 

Growing Cloud Visibility

Whilst cloud migration promises to cut costs, increase speed, and enhance operational performance, the financial, reputational, and material fallout of cyber vulnerabilities that result from poorly executed clouds equally dwarf business leaders. A lack of foresight over identity governance and access in a fragmented cloud environment can cause irreparable damage to a business.

Intra-cloud resilience is made possible when there is full visibility and transparency in the cloud; only then can organisations establish guardrails or swim lanes for controlling how data can be accessed and by whom. Cybersecurity must be embedded into a company's cloud roadmap.

Security teams require clear graphical visualisations of how data and identities are intertwined to ensure maturity levels can be baselined and enforced. This helps organisations to prioritise identity, data classification, and entitlement (access) enforcement as baseline controls for their multi-cloud security strategy. 

Customers, whether they are SMEs or large enterprises, are going to use more than one cloud, which means they must have a clear view of what 'multi-cloud' looks like and secure access to the right architecture and strategy to gain the maximum benefits of cloud: without compromising operational and cyber resilience.

Businesses need to remember to 'shift left' and design security upfront into the process, as cyber criminals rely on corporate leaders to move fast and overlook the basics. 

JD Sherry is Client Partner at ISTARI

You Might Also Read:

Cybersecurity Essentials For Cloud Environments:

 

« Modernising SecOps: It’s Time To Unpick The Complex Matrix
Blockchain Is The New IoT Standard »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Blue Solutions

Blue Solutions

Blue Solutions is a consultancy-led, accredited software distributor who provides IT solutions and support to small and medium enterprises.

ZDL Group

ZDL Group

At ZDL (formerly ZeroDayLab) we take a comprehensive view of our clients cyber security risks and provide quality services to address those risk

XenArmor

XenArmor

XenArmor products include NetCertScanner, an enterprise software to scan & manage expired SSL Certificates on your local network or internet.

Fortress Group

Fortress Group

Fortress is specialized in confidential and discrete recruitment solutions and temporary staffing in the field of security and risk management.

Enosys Solutions

Enosys Solutions

Enosys Solutions is an IT security specialist with a skilled professional services team and 24x7 security operations centre servicing corporate and public sector organisations across Australia.

Deceptive Bytes

Deceptive Bytes

Deceptive Bytes provides an Active Endpoint Deception platform that dynamically responds to attacks as they evolve and changes their outcome.

BI.ZONE

BI.ZONE

BI.ZONE creates high-tech products and solutions to protect IT infrastructures and applications, and provides services from cyber intelligence and proactive defence to cybercrime investigation.

SterlingRisk Programs

SterlingRisk Programs

SterlingRisk’s Cyber practice brings experience working with a wide array of clients across a broad spectrum of industries.

Urbane Security

Urbane Security

Urbane Security is a premier information security consultancy empowering the Fortune 500, small and medium enterprise, and high-tech startups.

NOW Insurance

NOW Insurance

NOW Insurance provides small business owners and other professional classes with a seamless purchasing experience for general liability, professional liability, and cybersecurity insurance coverage.

Luxembourg House of Financial Technology (LHoFT)

Luxembourg House of Financial Technology (LHoFT)

Offering start-up incubation, co-working spaces including a soft-landing platform, the LHoFT connects and creates value for the entire Luxembourg FinTech ecosystem.

HarfangLab

HarfangLab

HarfangLab develops a hunting software to boost detection and neutralization of cyberattacks against companies endpoints.

VISO Cyber Security

VISO Cyber Security

VISO provide Cyber Security Consulting and CISO as a Service to companies who need to augment their leadership teams with information security expertise.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

Stack Identity

Stack Identity

Stack Identity protects access to cloud data by prioritizing identity and access vulnerabilities via a live data attack map.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.