Pivoting Customers' Mindsets For Cloud Security

Cloud is a major component in digital transformation, yet many companies are still stuck in old ways of thinking and, as a result, make common mistakes. When these businesses increase cloud capability and cloud velocity, they often create new risk areas outside their familiarity. 

Application developers have been quick to adopt cloud computing over the last decade due to the growing need for speed when coding, which sluggish digital infrastructures fail to support, especially in the move from development to testing to production. As Agile and DevOps methodologies become mainstream, businesses must view the cloud as the future.

The concerns, challenges, and risks of using cloud computing differ from legacy on-premise environments, which many businesses still use. On-premise tasks do not automatically transport to the cloud, so companies must continuously evolve and adapt. There are also risks involved when relying on a singular provider when outages occur, such as when customers were left helpless and locked in when Amazon Web Services experienced an incident in December 2021. Cloud providers secure servers and infrastructures, but many breaches occur because of misconfiguration, poor architecture, and complexity in hybrid and multi-cloud environments. The responsibility for these items resides with the client and not necessarily the cloud service provider.

Managing Cyber Risks

Cloud Security Alliance - the world's leading organisation dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment - highlighted the top 11 concerns that CISOs, CTOs, and CIOs have around cloud consumption. They are known as the Egregious 11:

1.    Data breach
2.    Misconfiguration and inadequate change control
3.    Lack of cloud security architecture and strategy
4.    Insufficient identity, access, key management
5.    Account hijacking
6.    Insider threat
7.    Insecure interfaces and APIs
8.    Weak control plane
9.    Metastructure and applistructure failures
10.  Limited cloud usage visibility
11.  Abuse and nefarious use of cloud services

To meet executive goals, companies often wrapper their data centre's current capabilities and try to lift and shift, and transport that into a cloud ecosystem. There are many advantages and disadvantages to that, which organisations need to understand.

This can often be riddled with some legacy, technical debt that is unsuitable for the cloud as it increases cyber risk.

Decision makers must understand what their needs are from an engineering velocity perspective and be able to architect that to design security compliance capabilities accurately upfront in the system development lifecycle.

Many organisations are developing a multi-cloud, multi-year strategy, leveraging IaaS (Infrastructure-as-a-Service), SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) in addition to Infrastructure-as-Code. While this approach provides diversification benefits, the cyber risks become more complex because ascertaining identities to provide access to the relevant data or capability becomes harder.

The 'Egregious 11' correctly pinpoints that businesses today lack a clear cloud security architecture or identity strategy. Identity can refer to people, machines, and solutions – the key to success is efficiently and safely ensuring that all relevant identities can access resources and that there is a plan of action when a bad actor takes over. They can infiltrate cloud systems by targeting the identification gaps. As application developers work to meet deadlines, they often neglect their security and compliance colleagues that are scrambling to protect their digital footprint across several clouds. Organisations also must move to a "shift left" culture, building security into the application development lifecycle. As cloud complexity and identities rise, organisations struggle to manage cloud configuration and monitoring effectively. 

Growing Cloud Visibility

Whilst cloud migration promises to cut costs, increase speed, and enhance operational performance, the financial, reputational, and material fallout of cyber vulnerabilities that result from poorly executed clouds equally dwarf business leaders. A lack of foresight over identity governance and access in a fragmented cloud environment can cause irreparable damage to a business.

Intra-cloud resilience is made possible when there is full visibility and transparency in the cloud; only then can organisations establish guardrails or swim lanes for controlling how data can be accessed and by whom. Cybersecurity must be embedded into a company's cloud roadmap.

Security teams require clear graphical visualisations of how data and identities are intertwined to ensure maturity levels can be baselined and enforced. This helps organisations to prioritise identity, data classification, and entitlement (access) enforcement as baseline controls for their multi-cloud security strategy. 

Customers, whether they are SMEs or large enterprises, are going to use more than one cloud, which means they must have a clear view of what 'multi-cloud' looks like and secure access to the right architecture and strategy to gain the maximum benefits of cloud: without compromising operational and cyber resilience.

Businesses need to remember to 'shift left' and design security upfront into the process, as cyber criminals rely on corporate leaders to move fast and overlook the basics. 

JD Sherry is Client Partner at ISTARI

You Might Also Read:

Cybersecurity Essentials For Cloud Environments:

 

« Modernising SecOps: It’s Time To Unpick The Complex Matrix
Blockchain Is The New IoT Standard »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Nixon Peabody LLP

Nixon Peabody LLP

Nixon Peabody LLP is an international law firm with offices across the USA, Europe and Asia. Practice areas include Data Privacy and Cyber Security.

Arxan Technologies

Arxan Technologies

Arxan is a leader of application attack-prevention and self-protection products for Internet of Things (IoT), Mobile, Desktop, and other applications.

AllegisCyber Capital

AllegisCyber Capital

AllegisCyber is an investment company with a focus on seed and early stage investing in cybersecurity and its applications in emerging technology markets.

Totalsec

Totalsec

Totalsec is a Grupo Salinas company with a team of professionals in cybersecurity and information security providing Security Consulting, Solutions Integration, and Managed Security Services.

Hysolate

Hysolate

Hysolate has transformed the endpoint, making it the secure and productive environment it was meant to be.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

Amadeus Capital Partners

Amadeus Capital Partners

Amadeus Capital Partners offers over 20 years’ experience in technology investment. Our areas of focus include AI & machine learning and cyber security.

Randstad

Randstad

Randstad provide outsourcing, staffing, consulting and workforce solutions in the USA across a wide range of job sectors including IT and cybersecurity.

TierPoint

TierPoint

TierPoint delivers secure, reliable, and connected infrastructure solutions at the internet’s edge. We meet you where you are in your journey to solve for data storage, compute, and recovery.

IntelliGenesis

IntelliGenesis

IntelliGenesis provide comprehensive cyber, data science, analysis, and software development services that provide tailored, secure solutions for your critical data and intelligence needs.

Crowe

Crowe

Crowe is a public accounting, consulting, and technology firm that combines deep industry and specialized expertise with innovation.

Open Web Application Security Project (OWASP)

Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

Oort

Oort

Oort is an identity threat detection and response platform for enterprise security. The Oort platform is API-driven, cloud-native and agentless for rapid time to value and high scalability.

Rampart AI

Rampart AI

Tackling DevSecOps Issues In Application Security. Rampart has revolutionized the shift left security approach, applying zero-trust to application development.

Port-IT

Port-IT

Port-IT is a leading partner in cybersecurity solutions tailored for the maritime industry.

Odaseva

Odaseva

Odaseva delivers the strongest data security solution for enterprises running on Salesforce, safeguarding confidentiality and integrity of critical business information.