Cloud computing has been woven into the fabric of many businesses’ network infrastructure today, enabling businesses to access software on the Internet as a service, and safely store and share data. By allowing employees to access network services at any time and from any location to complete their tasks, cloud computing has drastically increased efficiency, reduced costs and contributed to business success. However, the convenience of the cloud comes at a price – the data on the cloud is not 100% secure. This raises a critical question – what if bad actors were to be able to access the companies’ greatest assets – their data?
As businesses move more of their business functionalities to the cloud, it is critical to have a strong cloud security strategy to protect their most valuable assets. But how can they get started?
1 WHO: Cloud providers and users – a shared responsibility
As much as cloud providers are responsible for securing the cloud infrastructure hosting the cloud services, businesses who are cloud users are responsible for securing their data and applications stored in that infrastructure. With cybercriminals targeting business applications and stolen credentials, security leaders need to be able to identify these threats and control who is accessing information. The problem is that organisational leadership does not understand the cloud’s shared-responsibility model, and hence the type of security that is available to them. Regardless of the security of the cloud infrastructure, it is pertinent that businesses continue to practise good cybersecurity hygiene. The cloud is no more secure than the leadership makes it.
2 WHAT: A renewed approach to security – cloud is not the same as on-prem
With public cloud, businesses do not have a lot of the physical infrastructure an on-prem set-up normally has – setting up racks of servers, running cables, power etc. Imagine walking into a data center, where one day you have 500 servers and the next day, you have 10. It seems like you were robbed. That is just a normal day in the cloud. With a traditional network infrastructure, if the data center is hit by a distributed denial of service (DDoS) attack, it will be difficult to add 100 physical servers. With cloud, users can click a button to scale up to 1,000 servers and make the DDoS inert, and just pay for the day’s usage. Scaling up can be achieved in a mere two minutes.
3 WHEN: Always on – how automation can be of help
Since cloud services can be accessed anytime, cloud security also knows no rest. Comprehensive automation gets businesses out of the ‘detect and respond’ mindset and into one centered on prevention –stopping the threats before they propagate across the network. A point to note is that automation has to be done in a holistic, end-to-end fashion, and not in a piecemeal manner. The approach for automation needs to include a commitment to automating the entire network stack –infrastructure, applications and devices of every manner and function, and not forgetting business processes. Failure to do so will mean businesses risk building “islands of information” without any clean, efficient, or reliable connectivity among the data.
4 WHERE: In all types of cloud deployments, be it public, private or hybrid
Many businesses now deploy a mixed assortment of cloud applications in the public, private or hybrid cloud. Multi-cloud environments require a greater focus on securing interfaces and APIs, preventing data loss and data breaches, properly managing access and mitigating advanced persistent threats and DDoS attacks. In turn, adequate protection requires businesses to have complete and comprehensive visibility into all cloud assets and cloud services. Building a security infrastructure with a single pane glass view of all cloud activities brings the business a step closer towards a 360 cloud security.
5 WHY: Cloud security is a strategic investment, not a sunk cost
Organisational leadership has to see cloud security as a strategic investment, and not a sunk cost. This means seeing the IT staff responsible for cloud security as part of the strategic team, and to fully integrate cloud-based security operations or analytics into the overall cybersecurity protocol. This helps to build in the right behaviour profiles for employees, allowing them to understand that security is an integral part of the business and its daily operations, and that adapting to the changes in the landscape is essential. Only with the collective effort of the management and employees can organisations help build and reinforce a culture of cybersecurity.
The cloud landscape is changing rapidly and there are increasingly more risk factors associated with it. This includes the rising proportion of data stored in the cloud, much of which are sensitive and compliance-related data, the growing percentage of third-party access and risky employee behaviour. Faced with these threats, business and security leaders have to shift their mindset from seeing cloud security as more than a mere insurance policy protecting the organisation and its data against disaster. Instead, a more proactive stance should be taken to include cybersecurity planning as part of the cloud adoption process. Collectively, a shared responsibility between both cloud providers and businesses is necessary to secure the journey to the cloud and fully leverage its potential for business success.