Security across all areas of an organisation must be a high priority among decision makers, and this is no different when it comes to the cloud.
However, recent research from Seagate saw two thirds of industry professionals working in mid to large-sized businesses report insufficient security, despite security being the most frequently cited driver of data storage policy.
With this in mind, how can decision makers effectively demonstrate cloud security leadership?
Ensuring full visibility
Firstly, business leaders must ensure that employees have full visibility over all cloud operations and applications, from goals to performance.
“Decision makers can demonstrate cloud security leadership in their organisations by gaining full visibility and insight into what the cloud actually means for their organisation,” said Neil Thacker, chief information security officer EMEA at Netskope. “By just focusing on their AWS, Azure or GCP infrastructure or MS365 or GSuite deployment, they are potentially missing over 80% of their cloud estate.
How to gain total asset visibility within your enterprise
“As an example, I have a real-time inventory of all cloud services my organisation is consuming, which often includes 1000+ cloud applications with each one representing a form of risk. A leader should understand the business and technical goal for each application whilst also considering the compliance requirements, user experience, performance, reliability and finally the licensing costs to the business.
“Many of these risks can be overcome using fundamentals such as securing each cloud service, securing the connection to each service, applying threat and data protection to each service and finally ensuring that the consumers of the cloud – the employees – have a secure and performant network to access these services.”
Understanding responsibility
Demonstrating security leadership in this area also involves understanding what aspects of cloud deployment you are responsible for, and taking those responsibilities.
Stuart Reed, UK director at Orange Cyberdefense, explained: “Deciding to harness the power of the cloud should not just be a commercial decision – you should also consider the associated duty of care and the impact it will have on your resources.
“It is vital to remember that outsourcing control does not equal outsourcing responsibility, and leaders should understand which security tasks are handled by the cloud provider and which tasks are handled by you.
“Due diligence is essential – the cloud provider should have at least the same risk framework and controls as you would apply to your own organisation. Ideally, they should be better.
“With growing examples of breaches involving inadequate configuration, it is important to understand how to robustly configure services to ensure optimal performance and security. Demonstrating that security is being wrapped into the heart of cloud projects rather than an adjunct allows security to be an enabler to successful, scalable and sustainable initiatives.”
Lay out a clear strategy
Staying on the relationship between companies and cloud providers, understanding what each side is responsible for should be kept in mind when drawing up a cloud security strategy, so security staff are made clear and kept in the loop.
Which cloud strategy is right for your business in 2020?
“All public cloud providers adopt a shared security responsibility model that is clearly divided between the service provider and the organisation,” said Lori MacVittie, principal technical evangelist, office of the CTO at F5 Networks. “The provider is responsible for cloud infrastructure security. The organisation is responsible for everything else: applications and systems, and there is no singular concept of ‘cloud security’ in this sense.
“This distinction is an important one because, for the most part, IT staff have limited knowledge of cloud infrastructure operations. By clearly dividing the two, leaders establish an understanding that the organisation only has responsibility for the security of the systems and applications under its control. The distinction also shifts the focus to what can be secured by IT, giving them the confidence to progress policies and services that protect applications and systems in the public cloud.
“Leadership must therefore lay out a security strategy that clearly describes both operational and application concerns. For organisations, this means protecting dashboards and consoles, as well as properly adhering to best practices with respect to cloud-provider services (such as Amazon S3). Both are critical components of ‘cloud security’.
“By demonstrating awareness of the shared cloud security responsibility model and providing clear direction on the need to secure apps, systems, and services, leaders will help security practitioners approach cloud security more confidently.”
Automation and DevOps
Automation and DevOps are commonly supported by cloud providers, and these technologies are capable of speeding up the completion of tasks. Additionally, they can allow for automatic security checks, which can free up time for security staff.
Automating the six Cs of DevOps
“Sometimes, showing leadership is about not turning up – because you’ve already got everything in place,” said Mike Bursell, chief security architect at Red Hat. “Automation has to be the name of the game in cloud computing generally, and the same has to go for security in the cloud.
“Your teams expect to be able to automate deployment and operations at scale – that’s why they’re using the cloud – and if they find that security controls are stopping them from moving quickly, then it’s simple: they will work around the security.
“Your security controls need to be integrated into your entire DevOps lifecycle, so that there are no bottlenecks while one of the few security experts in the organisation checks everything before deployment. Instead, security should be part of the life-cycle, built-in and automated, so that security can be managed by exception: your experts are deployed when there’s a problem, and not for the normal, everyday case when everything could actually be ticking along fine if you had automated it.
“This frees your development and operations teams from annoying manual checks, and allows your security experts teams to concentrate on the real concerns: attacks and vulnerabilities.”
Be wary of cloud sprawl
A final aspect of cloud security leadership for decision makers to consider is the possibility of cloud sprawl, according to John Chambers, director of IT, communication and workplace at Ricoh UK.
“Cloud computing should be looked at as a vital long-term investment as it will undoubtedly make life easier for your employees, as well as help prevent security threats,” said Chambers. “What’s more, cloud-based infrastructure can deliver scalability and elasticity to provide the raw compute and storage capacity needed to accommodate seasonal peaks of demand.
“However, care needs to be taken to avoid ‘cloud sprawl’ – where additional resource is activated but not decommissioned when no longer needed which can result in a large unforeseen cost increase.
“Cloud offers real potential for companies to continue functioning in unusual circumstances. It’s important to remember that the only thing working from home is the individual and their device, a majority of the rest of the activity should be taking place in the cloud.
“We like to say that work used to be a place, now it’s something we do that can happen anywhere.”