Why Zero Trust is critical in solving Australia’s cloud security woes
When the cloud first went mainstream almost two decades ago, it was seen as a cutting-edge business enabler. Holding true to that promise, the cloud has become the backbone of modern business, and its role as a principal data repository has never been more crucial.
However, a heavy reliance on the cloud has stretched today's attack surface far beyond imagination. In fact, recent research from Vanson Bourne and Illumio revealed that nearly half of all data breaches in Australia originate in the cloud, and more than 6 in 10 Australian respondents believe cloud security is lacking and poses a severe risk to their business operations. Cloud breaches bring with them immense financial repercussions and significant losses in consumer trust, with local organisations suffering an average loss of roughly AUD $4.9M per breach.
It's clear that as the attack surface posed by the cloud widens and expands, traditional cloud security practices are failing modern enterprises. Cloud usage is ubiquitous today, yet security teams are still struggling to secure their hybrid and multi-cloud environments, putting customers and other critical business stakeholders at risk.
Why is it that traditional security measures are failing in the cloud? And with so many operations now dependent on the cloud, how can organisations build resilience where they're currently most vulnerable?
The high stakes of cloud security
Despite its prevalence over the past few years, there's still misconceptions and confusion around ownership in the cloud. Companies that use different cloud systems and vendors to store their most valuable data often believe they're offloading security responsibilities to the cloud service provider. But the reality is that the entity that stores, processes, or transmits the data is responsible for the protection of that information. So, when a breach occurs, the accountability and consequences almost always come back to the business itself.
Instead of thinking of the shared responsibility model in the context of the cloud, it's best to consider it as an uneven handshake – where your organisation is responsible for securing the data that you put into the cloud, while the cloud provider is responsible for maintaining the underlying infrastructure.
That's why investing in robust cloud security is essential. It's the responsibility of both parties to ensure the cloud is properly secured. And organisations that haven't been prioritising cloud security up until now are already behind the curve. First, there are the obvious stakes associated with neglecting the cloud, including putting financial and other sensitive business resources at risk. Plus, ongoing cloud adoption and migration efforts continue to heighten risks in the cloud.
Breaches in the cloud don't just threaten data, they jeopardise trust and revenue-generating operations as well. In fact,
Illumio's Cloud Security Index shows that 39% of Australian security decision-makers specify reputational damage and the loss of trust as the main consequence of a cloud breach, with 35% being primarily concerned with the loss of revenue-generating services. This shows that local businesses are placing an equal or higher premium on reputation damage than on immediate financial implications – suggesting that while revenue can be recouped, businesses believe restoring tarnished reputations presents a far more challenging endeavour.
We know that today, cyberattacks are inevitable, especially in the cloud. So, the ability to contain cloud-based attacks, limit their impact, and keep critical assets safe and operations running – even while under attack – is mission critical.
Where traditional cloud security models fall short
Legacy systems like firewalls and intrusion detection solutions have proven that alone, they're unable to cope with the dynamic and intricate nature of the modern cloud. And using static solutions to respond to today's prolific, innovative cloud-based attacks will never work.
While organisations may attempt to apply these outdated security paradigms to modern cloud environments, the cloud's agility and scalability demand equally adaptive measures. We saw that 95% of security decision-makers in Australia agree they need better visibility across cloud infrastructure and faster reaction times to breaches to bolster their resilience in the cloud.
Even more concerning, close to three-quarters think their company's security function is slowing down cloud adoption. In response, businesses are developing mission-critical applications in the cloud with virtually no advanced security precautions — a dangerous precedent since business transformation and security implementation must go hand in hand for organisations to innovate and grow securely.
Businesses must embrace a more dynamic security model for the cloud – coupled with real-time security solutions that provide visibility and don't restrict efficiency – if they want to secure the cloud. This is where the Zero Trust framework can be effective.
Zero Trust Segmentation – Building resilience in cloud security
It's evident that organisations need a stronger operational framework that allows them to reduce risk and secure cloud resources in a more cost-effective and proactive way, and that's exactly what Zero Trust is designed to do.
The Zero Trust framework, which I designed as a Forrester analyst nearly a decade ago, is based on the premise that no user or asset is to be implicitly trusted. It also advocates for organisations to operate under the assumption that a breach has already occurred (or inevitably will occur) and, therefore, proactively limit access so that not every user, device, or application has carte blanche access to the entire network or enterprise. In essence, all users must be continuously verified to shrink the attack surface.
Zero Trust tools like Zero Trust Segmentation (also known as microsegmentation) play a vital role in helping organisations comply with and meet their Zero Trust objectives.
Segmentation enables organisations to adapt quickly and effectively to the cloud's inherent complexities, providing dynamic and responsive security that matches the fluid nature of cloud-based operations. In compliance with the Zero Trust framework, segmentation is designed to help modern enterprises detect and quickly isolate critical assets within the cloud when compromised, reducing the attack surface and eliminating the risk of lateral movement.
As security leaders increasingly shift their focus to minimising the 'blast radius' of an attack, 98% of IT and security leaders in Australia believe that segmenting critical assets is a necessary step to secure cloud-based projects.
Overall, as businesses continue to harness and operate in the cloud at scale, it's clear that cloud security demands a radical rethinking of our security strategies, with Zero Trust leading the charge. It's imperative for organisations looking to navigate the complexities of the cloud to be able to safeguard their most valuable assets as new threats evolve. By implementing dynamic defences like segmentation, organisations can ensure their move to the cloud does not compromise their security posture. Instead enhancing their ability to respond to and recover quickly from incidents, ensuring their next breach does not jeopardise their most critical assets, reputation, and trust.