Cloud has become a must for any organization looking to accelerate collaboration and innovation, particularly in a world in which so much work is being done virtually. Many organizations are adopting cloud technologies to increase their agility and resilience, as well as control costs—but security and privacy threats are also increasing.
Cloud security best practices are designed to keep data and applications in the cloud secure from current and emerging cybersecurity threats. But 59% of Canadian executives expect a jump in attacks on cloud services in the coming year, and only 44% profess an understanding of cloud risks based on formal assessments.
While on-premises processes, people and technology can help secure cloud computing environments against external and insider cybersecurity threats, traditional approaches to security and privacy aren’t scalable or sustainable for cloud. There’s also a very common misconception that cloud offerings are secure out of the box.
Whether you’re moving on-premises applications to a software-as-a-service (SaaS) model in the cloud or making larger infrastructure shifts through platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS), you’ll be able to take advantage of security tools baked into cloud offerings. But it’s the responsibility of cloud customers to properly configure, manage and monitor those security features and functionality.
Some of the key security challenges organizations should be aware of when implementing cloud solutions include:
Extended threat landscape: The threat landscape is extended as cloud introduces more computing layers—and therefore more threat agents. With increasingly complex and expansive hybrid and multi-cloud environments, data can be exposed to risk both in transit and at rest.
Misconfiguration: If cloud services aren’t configured properly, they may be vulnerable to malicious activities. It’s also essential to have a consistent identity and access management (IAM) strategy in situations where cloud and on-premises environments coexist.
Limited visibility: Shadow IT, the use of unsanctioned applications, and lack of management oversight and governance in the provisioning of cloud services can lead to vulnerabilities in the cloud.
How can organizations take advantage of the benefits offered by cloud technologies while keeping their data safe? When moving applications or infrastructure to the cloud, it’s important to understand the native security functions available—and then to configure them properly.
Major public cloud service providers, such as Microsoft Azure, Amazon Web Services and Google Cloud Platform, bake security into their services, so there’s no need to reinvent the wheel. But those tools still need proper configuration aligned with vendor and industry best practices. For example, as part of your IAM strategy, you’ll need to indicate which scenarios to flag as suspicious, such as a user repeatedly trying to access data they don’t have permission to access.
Organizations should make sure they have an enterprise-wide high-level security architecture principle that applies to any technology, whether on-premises or in the cloud. For example, if that principle requires multi-factor authentication for certain critical functions, it shouldn’t matter whether users are accessing those functions on-premises or in the cloud.
Of course, once you move an application or part of your infrastructure to the cloud, you’ll also need to continuously monitor that environment for potential data breaches or malicious events.
It’s critical to have a cloud security strategy in place to guide transformation projects and protect against financial loss, reputational damage, legal repercussions and regulatory fines. Any such strategy should comprise the following actions at a minimum:
Embed security, risk and compliance from the start.
Align cloud security and risk strategy to the enterprise cloud strategy.
Consolidate tech vendors and applications to reduce unnecessary complexity and risk.
Adopt compliant and secure DevOps pipelines and practices.
Mature operations through cloud-enabled process automation and simplification.
Monitor risk and security proactively with real-time insights.
Measure compliance risks, cyber maturity and privacy capabilities, and leverage metrics for risk-based decisions.
Transform security and compliance capabilities into consumable, automated and integrated services.
The time for cloud is now. In many cases, it makes sense to move applications or infrastructure to the cloud for increased agility and resilience. But as the cyber threat landscape quickly evolves, it will be crucial to make sure security measures adapt at pace.
Partner, Cybersecurity, Privacy and Financial Crime and National Cybersecurity Leader, PwC Canada
Tel: +1 604 806 7603