Securing the cloud: How to mitigate a deluge of disruption
The resilience of almost every kind of IT system was tested last year, when thousands upon thousands of organisations accelerated their move towards the cloud, drawn to its efficiency and innovation in a time when digital transformation was all but a necessity.
Those who had already begun their foray into the cloud by the time the pandemic was in full swing fared better initially; digital laggards, however, were reminded of the importance of resilience, agility adaptability and scalability.
But, although many companies are realising benefits as a result of their cloud adoption, including emerging technologies like AI and automation, only 40% are achieving the ‘full value expected of their cloud investments', according to new research from Accenture.
Much of this discontent stems from the security and compliance risks that many see as barriers to cloud adoption. Combined with the complexity of hybrid- and multi-cloud environments and a shortage of skills, these concerns can be significant roadblocks to a cloud-first journey.
It's why entire industries are now shaped around cloud security, with coordinated strategies, nimble governance models, and linear alignment across the organisation — all prioritising a protected environment.
There are many avenues to take to achieve adequate cloud security, with different methods suited to different organisations. But a universal technique should be employed early on by all those embarking on their cloud journey: making the journey itself secure by design.
How do organisations go about this? First, says Accenture, they must confront three disparate challenges:
According to 65% of senior IT executives, security and compliance risk is the single greatest barrier to realising the full benefits of the cloud. Governance risk frameworks, close monitoring and remediation of anomalies must be prioritised to maintain compliance in 2021.
It's not enough to send alerts to flag vulnerabilities. CISOs must establish guardrails so risks can be identified and mitigated before they happen, and steps should be taken to institute continuous or automatic enforcement of policies.
Among the most significant cloud vulnerabilities is the misconfiguration of cloud resources, especially with the rapid evolution of cloud strategies as hybrid and multi-cloud approaches become more popular.
Asset and configuration controls must be defined early and automated configuration used to enable successful cloud migration that has security baked in from the start.
One of the many lessons learned by CISOs in 2020 was that the industry did not have enough cloud cybersecurity talent. Organisations should learn from this lesson, and divert more resources into ensuring the right skills are in the right place.
This high demand and limited supply has increasingly forced CISOs to become creative in attracting and retaining the skills needed for the journey to a secure cloud. Creativity is especially important as ready-made cloud security skills are hard to come by — the right talent needs to be sought out and properly trained to become a real asset.
But what is the ‘right' talent? Increasingly, the evidence is pointing to those with experience in development.
Many developers are starting to recognise that security skills are a valuable addition to their own skill sets. As the distribution of security controls reaches developers working with automated infrastructure and application pipelines, there is a natural extension of security capabilities into other business areas.
Hybrid cloud, multi-cloud and platform-as-a-service (PaaS) have gradually become the dominant settings for cloud environments, replacing the traditional focus on lift and shit point-in-time virtual machines.
This has resulted in a much more complex framework, and both transparency and a formal strategy must be applied to avoid poor communication, higher costs, a reactive approach to security, and other drawbacks.
This is why CISOs must embed security consistently into the cloud environment. Too often, it is added at the end of the cloud-first journey and can delay business outcomes — or result in having to do the work all over again.
The cloud should be treated similarly to the rest of the software development lifecycle: continually making changes as needed — by checking in and checking out code.
If systems aren't adequately monitored, it can be a slippery slope towards weak governance, poor alignment and widening skill gaps, which could, in turn, lead executives to look upon security as the function holding the business back.
Accenture Cloud first lead for ANZ Matthew Coates says this is easier said than done, given many organisations' attitudes towards their cloud security frameworks.
“We need a single sheet of glass for visibility into our vulnerabilities but right now many enterprises with multi-cloud instances are looking through a mosaic,” says Coates.
Incidentally, 95% of Accenture's own applications are in the cloud and supported by the platform economy, Coates says. This allows the company several benefits through its cloud-native security environment, including:
Workforce and team strategy to optimise the current onshore-offshore operating model
Smart working using Infrastructure as Code reduces employee travel to client sites and deployment lengths
Digital ways of working to drive collaboration, innovation, flexibility and value-driven purpose
Reduced talent acquisition spend through better attraction and retention of talent.
When contemplating the security of their cloud journeys, CISOs should ensure they know their cloud security posture, automate native security where possible, become proactive with compliance, and employ security monitoring and response.
There are many avenues to take when embarking on a security-focused cloud journey, and given the current landscape of global cybersecurity, CISOs should take care in choosing their path.
To learn more, read Accenture's full report.