Cloud security remains a top priority for organizations on their journey to continuous modernization. In fact, 41% of senior executives say security and privacy risks are a top three concern when using cloud to achieve business goals, based on the latest research from HCLTech — Cloud Evolution: Make innovation a habit.
There are several key cloud risks that are hindering organizations in their ability to ensure a secure transformation to cloud:
- Cloud complexity
- Uncontrolled attack surfaces at infrastructure and API levels
- Regulations, compliance and sovereignty — the need keep data in certain places with certain controls
- Insecure cloud supply chain — security teams don’t have a clear path to remediate security issues
- Resource theft
- Scale of impact — cloud capability and scale can be used against organizations
- The big one — data loss and exfiltration
These risks are compounded by several cloud challenges. These include:
- A lack of visibility — organizations can’t definitively say what they have in cloud. This makes it difficult to control and protect data that resides in the virtual environment
- Policy errors — if organizations can’t define what they expect to see in cloud, how can they protect it
- A lack of cloud security skills
- Shared responsibility misunderstandings — the complexity of interactions in the cloud means it's difficult to understand who is responsible for what
- A lack of governance or uneven governance controls
- A lack of guardrails, which stems from governance. Any application developer can deploy what they like
- Misconfiguration — if organizations don’t understand cloud, this increases the attack surface and exposes applications to the internet
- Speed of change
The risks and challenges that organizations face in the cloud might be like the issues faced in data centers. However, the controls that can be deployed to remediate these risks and challenges are different.
A cloud-ready approach to security
To overcome cloud risks and challenges when it comes to security, Gartner recommends a shared responsibility model, which establishes who looks after different workloads on different cloud services, such as physical infrastructure, virtual networks or applications.
In addition, as demand for cloud security skills has outpaced supply, organizations need to be realistic and strategic with their talent acquisition. To address the lack of skills, there should be a focus on the democratization of technology, which is not only essential to transformation objectives, but also security.
According to Gartner, 41% of employees are business technologists, and this is expected to grow to 77% by 2027. Organizations should create a cloud center of excellence that focuses on upskilling business technologists, security teams and the wider employee base to evangelize cloud security.
Cybersecurity should become business as usual, everywhere, enabling employees to make cyber-risk informed decisions autonomously.
Looking at protecting applications in cloud, organizations can embrace Cloud-Native Application Protection (CNAPP). This is a fusion of posture management and a convergence of capability for maintaining compliance and workload protection across applications, APIs and network segments. Although, there is an argument that this product category is getting overcrowded with too many capabilities.
Interestingly, the type of cloud transformation impacts security approach. For example, a lift and shift —moving an application or workload from one IT environment to another — would require CNAPP or extending existing on-premises security, while replatforming, also known as move and improve, requires container-focused workload protection.
A cloud secure future with zero-trust
Emerging trends in the world of cloud security, such as platform engineering, the rise of artificial intelligence (AI) and ML to gain better insights and contextual analysis and security tool convergence, are accelerating at scale.
To cope with this speed of change, organizations need to prioritize stress and risk testing, security governance, visibility and cloud detection and response.
The adoption of the cloud should also be viewed as a catalyst to adopt a zero-trust architecture by default, which can be used to own, control and monitor identity and privilege access.
Explaining how HCLTech can help organizations deploy zero-trust solutions, Prashant Mascarenhas, Vice President - Cybersecurity & GRC Services, says: “HCLTech is well poised to support our enterprise customers in deploying zero trust solutions. We have built mature practices and have a very large infrastructure, cloud, application and data security practice.”
He adds: “In recent times, we've invested in taking our knowledge of IT security and applying it to OT environments and we have a significant experience in governance, risk and compliance, both from an internal compliance standpoint on security policies and for regulatory compliance that enterprises need to meet. We also have a strong foundation for delivering Identity Access Management, which underpins zero-trust. HCLTech continues to make investments in this space, and we work very closely with our customers to partner with them through that journey.”