Pivoting Customers' Mindsets For Cloud Security

Uploaded on 2022-09-28 in TECHNOLOGY--Resilience, FREE TO VIEW

Cloud is a major component in digital transformation, yet many companies are still stuck in old ways of thinking and, as a result, make common mistakes. When these businesses increase cloud capability and cloud velocity, they often create new risk areas outside their familiarity. 

Application developers have been quick to adopt cloud computing over the last decade due to the growing need for speed when coding, which sluggish digital infrastructures fail to support, especially in the move from development to testing to production. As Agile and DevOps methodologies become mainstream, businesses must view the cloud as the future.

The concerns, challenges, and risks of using cloud computing differ from legacy on-premise environments, which many businesses still use. On-premise tasks do not automatically transport to the cloud, so companies must continuously evolve and adapt. There are also risks involved when relying on a singular provider when outages occur, such as when customers were left helpless and locked in when Amazon Web Services experienced an incident in December 2021. Cloud providers secure servers and infrastructures, but many breaches occur because of misconfiguration, poor architecture, and complexity in hybrid and multi-cloud environments. The responsibility for these items resides with the client and not necessarily the cloud service provider.

Managing Cyber Risks

Cloud Security Alliance - the world's leading organisation dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment - highlighted the top 11 concerns that CISOs, CTOs, and CIOs have around cloud consumption. They are known as the Egregious 11:

1.    Data breach
2.    Misconfiguration and inadequate change control
3.    Lack of cloud security architecture and strategy
4.    Insufficient identity, access, key management
5.    Account hijacking
6.    Insider threat
7.    Insecure interfaces and APIs
8.    Weak control plane
9.    Metastructure and applistructure failures
10.  Limited cloud usage visibility
11.  Abuse and nefarious use of cloud services

To meet executive goals, companies often wrapper their data centre's current capabilities and try to lift and shift, and transport that into a cloud ecosystem. There are many advantages and disadvantages to that, which organisations need to understand.

This can often be riddled with some legacy, technical debt that is unsuitable for the cloud as it increases cyber risk.

Decision makers must understand what their needs are from an engineering velocity perspective and be able to architect that to design security compliance capabilities accurately upfront in the system development lifecycle.

Many organisations are developing a multi-cloud, multi-year strategy, leveraging IaaS (Infrastructure-as-a-Service), SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) in addition to Infrastructure-as-Code. While this approach provides diversification benefits, the cyber risks become more complex because ascertaining identities to provide access to the relevant data or capability becomes harder.

The 'Egregious 11' correctly pinpoints that businesses today lack a clear cloud security architecture or identity strategy. Identity can refer to people, machines, and solutions – the key to success is efficiently and safely ensuring that all relevant identities can access resources and that there is a plan of action when a bad actor takes over. They can infiltrate cloud systems by targeting the identification gaps. As application developers work to meet deadlines, they often neglect their security and compliance colleagues that are scrambling to protect their digital footprint across several clouds. Organisations also must move to a "shift left" culture, building security into the application development lifecycle. As cloud complexity and identities rise, organisations struggle to manage cloud configuration and monitoring effectively. 

Growing Cloud Visibility

Whilst cloud migration promises to cut costs, increase speed, and enhance operational performance, the financial, reputational, and material fallout of cyber vulnerabilities that result from poorly executed clouds equally dwarf business leaders. A lack of foresight over identity governance and access in a fragmented cloud environment can cause irreparable damage to a business.

Intra-cloud resilience is made possible when there is full visibility and transparency in the cloud; only then can organisations establish guardrails or swim lanes for controlling how data can be accessed and by whom. Cybersecurity must be embedded into a company's cloud roadmap.

Security teams require clear graphical visualisations of how data and identities are intertwined to ensure maturity levels can be baselined and enforced. This helps organisations to prioritise identity, data classification, and entitlement (access) enforcement as baseline controls for their multi-cloud security strategy. 

Customers, whether they are SMEs or large enterprises, are going to use more than one cloud, which means they must have a clear view of what 'multi-cloud' looks like and secure access to the right architecture and strategy to gain the maximum benefits of cloud: without compromising operational and cyber resilience.

Businesses need to remember to 'shift left' and design security upfront into the process, as cyber criminals rely on corporate leaders to move fast and overlook the basics. 

JD Sherry is Client Partner at ISTARI

You Might Also Read:

Cybersecurity Essentials For Cloud Environments:

 

« Modernising SecOps: It’s Time To Unpick The Complex Matrix
Blockchain Is The New IoT Standard »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DCL Search & Select

DCL Search & Select

DCL Search & Selection connect candidates to the best companies in the IT Security, Telco, UC, Outsourcing, ERP, Audit & Control markets.

Device Authority

Device Authority

Device Authority specialises in security automation for the Internet of Things (IoT).

Conceptivity +360 Cybersecurity

Conceptivity +360 Cybersecurity

Conceptivity +360 Security addresses advanced cybersecurity and supply chain security issues in policy, regulatory, legislation, standardisation, compliance and project management areas.

SySS

SySS

SySS is a market leader in penetration testing in Germany and Europe.

Cyber Base

Cyber Base

Cyber Base is an Information Technology company based in Uganda providing software and hardware solutions to clients.

ProcessUnity

ProcessUnity

ProcessUnity is a leading provider of Third-Party Risk Management software, helping companies remediate risks posed by third-party service providers.

Etonwood

Etonwood

Etonwood specialises in infrastructure and vendor technology recruitment in areas including cloud platforms, cyber security and service management.

Boeing

Boeing

Boeing is the world's largest aerospace company and leading manufacturer of commercial jetliners, defense, space and security systems.

ITTAS

ITTAS

ITTAS is a multidisciplinary company specializing in information security and software and hardware protection software.

Blaick Technologies

Blaick Technologies

Blaick is an Israeli cyber-security company which deploys proprietary Artificial Intelligence threats detection technology for early prevention of online cyber crime.

SuperCom

SuperCom

SuperCom are a global secure solutions integrator and technology provider for governments and other consumers facing organizations around the world.

1Kosmos

1Kosmos

1Kosmos provide Digital Identity and Passwordless Authentication for workforce and customers. Powered by advanced biometrics and blockchain technology.

Internet Crime Complaint Center (IC3)

Internet Crime Complaint Center (IC3)

The Internet Crime Complaint Center provide the public with a reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

The Cyber Guild

The Cyber Guild

The Cyber Guild is a not-for-profit organization working to improve the understanding and practice of cybersecurity, and to help raise awareness and education for all.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.