Securing the multi-cloud
I think it's reasonably fair to say that cybersecurity teams and the cloud have had a somewhat complicated relationship.
There has always been some tension between security teams and the cloud. Initially, there was a great amount of reluctance to embrace the cloud or to put anything other than non-critical applications into the cloud, as the risks were not well understood.
However, the broader business had other plans. As economic and operational benefits of the cloud became clearer, business units aggressively drove cloud services adoption across the business. In turn, this forced cybersecurity teams into unchartered territory. As cloud adoption continues to grow, it has meant that cybersecurity teams need to think differently about cloud – how to allow for adoption (even when it is not always under the watchful eye of IT) to ensure the cloud is inherently secure.
On the one hand, it's been a good but hard lesson for cybersecurity teams as ultimately, not innovating alongside the business has introduced more risk. Rather than waiting for cybersecurity teams to say 'no' business units went ahead to utilise these services without the consent of IT, leaving the organisation somewhat vulnerable.
Despite how simple it is to utilise the cloud (some users might not even realise they are), applying the appropriate security controls is far less easy and requires the development of a cloud cybersecurity strategy and the respective architectural references.
Most cybersecurity practitioners are now grappling with the following: how do we enable the business to consume the cloud services they need, while ensuring the appropriate protection is in place? Put another way, how can we enable the business to innovate and accelerate while ensuring critical assets are kept safe from unnecessary risks?
To be successful with cloud security, a new mindset is required.
Firstly, it starts with cybersecurity teams aligning themselves to what the business is trying to achieve and understanding technology's role in that. Where technology can truly transform a business and propel the business forwards, cybersecurity teams should be leading the charge. Getting involved early can help to ensure that A) the company is building a cybersecurity-conscious culture and B) DevOps includes security, becoming DevSecOps, so that the technology being built and rolled out is secure by design.
Secondly, cybersecurity teams should take time to understand what is happening in the broader business already. It's important to get a good understanding of the types of cloud services being consumed to build a picture of what your cloud environment looks like, the behaviours that you need to be prepared for, and what your traffic flows look like.
Only then can you build a holistic cloud security strategy for your company. With the previously gathered insights, you'll be able to appreciate what your ideal cloud environment should look like, how you can support and secure it. It's reasonably safe to say that most will have a hybrid cloud environment, one that utilises multiple public and/or private clouds (on and off-premise).
You should also create plans for multiple use cases or scenarios of cloud security in your strategy. For example, how you protect your data and applications where there is solely a public to public cloud(s) relationship (often referred to as multi-cloud), public to private or private to private. It should examine what happens if a new cloud connection is established or created by someone, somewhere in the business without IT involvement; how would you know this happened, and how you would go about securing your business as quickly as possible; and to meet data privacy regulations and compliance standards, how do you manage and protect data at-rest, in-motion and in-use.
Ultimately, what you'll end up with is a multi-layer security approach to the cloud, and be better prepared to align the policies, technologies, controls and processes to make cloud security successful for your business. This should be cloud vendor agnostic, so that you can be flexible in your cloud adoption and utilisation moving forward.
While the cloud landscape is still evolving, and while there will always be some elements of risk involved with utilising the cloud, the level of risk is not what it used to be – especially, when you engage early, think holistically and build in cybersecurity from the outset.