Exclusive: Climbing a cloud security mountain

“Computing may someday be organised as a public utility just as the telephone system is a public utility”- Prof. John McCarthy at MIT’s centennial celebration in 1961.

The idea of cloud computing isn’t new. Perhaps, it took several decades for cloud computing to become a commercial phenomenon. Today, cloud has become an integral part of enterprise business strategy. Research firm, Gartner predicts that 85% of organisations will embrace a cloud-first principle by 2025 and estimates that over 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021.

Organisations accelerated digitisation and cloud transformation rapidly in the last two years to offer customers digital services from anywhere while balancing Cyber Resilience requirements. Technologies for security and privacy evolved to a next-level to provide such high velocity transition to cloud.

As more people have started to trust their data, business and personal information to the data centres that power the cloud, it’s ushered in a new era of cybersecurity. The cloud has some built-in advantages. Unlike the internet in general, it was built from the ground up with modern security and privacy in mind. It’s also a controlled ecosystem protected by people who spend all day thinking about data security and privacy.

Organisations continue to have their workloads on hybrid-cloud (with a combination of workloads on cloud and on-premises), while most of them are interested to use multiple cloud platforms instead of just one. The first reason (29%) for favouring multi-cloud deployment is to meet best technical features from each cloud platform. For example, organisation A uses IaaS services from Amazon Web Services (AWS), office utility services as Software as a Service (SaaS) from Microsoft Azure and business analytics platform on Google Cloud Platform (GCP). In this example, the organisation built a best-fit technology combination based on their skills, high-availability requirements and currently used technology compatibilities instead of relying on one provider.

Not surprisingly, avoiding vendor lock-in, the most quoted explanation for a multi-cloud strategy, is the second reason (21%). Organisations are interested in having higher portability and flexibility without getting locked into one cloud platform. Some companies are ready to trade-off unique vendor functionalities towards better portability.

The third reason (16%) is a regulatory requirement to avoid cloud concentration risk. Regulators are concerned about business resilience and the operational risks involved in over-reliance on one service provider to support key business services and to avoid any adverse effect on the Cloud Service Provider (CSP) that could heavily impact their business.

A key concern to take advantage of multi-cloud is the skill availability (26%). Technology abilities and experienced staff on multiple cloud platforms is a tough ask. Other challenges related to skills are capabilities to understand architectural differences in multiple cloud platforms (22%) and complexity to manage security controls (18%) among a wide variety of services and products on different cloud providers. Getting a comprehensive oversight of all the resources, governance and risk oversight across a wide variety of resources across multiple cloud platforms and on premise is the next important challenge (20%).

With increased adoption of multiple public providers, developers are facing the challenge of keeping code consistent across diverse platforms with diverse interaction points. Automating security testing into continuous integration and continuous code development and during the containerisation helps in reducing the risk exposure.

One of the favourite flavours of cloud adoption is private cloud (30%) among the other deployment models such as hybrid cloud, public and on premises. Key reasons to choose private cloud are mainly data residency, data sovereignty requirements or local regulations.

Privacy by design

Privacy by design is heavily in the development stage with two thirds of the organisations (65%) either currently building or planning to build the strategies, with very few (8%) having a fully planned privacy by design strategy. This is no surprise considering the stronger regulations around privacy that have been enforced in the last three years (e.g. Global Data Privacy Regulations (GDPR) in 2018, Central Consumer Protection Authority (CCPA) in 2020) and organisations are picking up the speed of deployment as time goes by.

The most mature category among data privacy by design was unsurprisingly regulatory compliance. Over the years, national and international laws and regulations are the most influential ones to enforce privacy compliance. It is a revelation to know that data discovery and governance still have not reached its maturity as per the majority of the respondents (60%). It seems there is a lot of scope to improve in this area, considering that governance and oversight is one of the concerns for multi-cloud adoption too.

With the continuous evolution of cloud, a few technology concepts are clearly influencing the organisations to build their plans to implement in the next two years. The top influencing concepts are zero trust (60%), artificial intelligence (AI) or machine learning (43%) and serverless computing (42%).

Cloud security is a long game. To do it right, you need to constantly be investing in both the safeguards people need now and the protection they’ll need a year or even a decade from now. That means anticipating both what new technology or capability customers will want to use in the cloud, as well as what new exploits criminals will come up with to try to gain unwanted access to their data.

But you could also call it a never-ending game because it’s not a fight that anyone – the lawyers, the engineers, the researchers and the security gurus – ever expects to end.

For every bad guy the good guys catch, there’s another one waiting in the wings. What’s more, they’re using the same technological advantages the security experts are using.

By Kapil Bareja, Cybersecurity Thought Leader

You can connect with Kapil on LinkedIn here