Organizations of all sizes and across all segments know that transitioning to cloud services is vital to innovation, growth, and competitive advantage. They are well aware that they can’t afford to slow down the progress of their digital transformation. And, they are acutely aware that the public cloud is becoming a target of choice for cyberattacks because it’s all about the data. Data is the fuel that powers digital transformation, and it’s what motivates bad actors to exploit vulnerabilities in cloud computing.
A recent McAfee study, “Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security,” reports that 97 percent of organizations are actively adopting cloud services. Furthermore, 83 percent of them are creating, sharing, and storing sensitive data in the cloud. While cloud service providers are on point to secure their physical infrastructure, servers, and applications, organizations are ultimately on the hook to safeguard their data in the cloud. This means that cloud security must be top of mind for organizations on their digital transformation journey.
Cloud-first organizations are no strangers to serious data breaches and other security incidents. The same survey found that one in four organizations that rely on Infrastructure-as-a-Service (IaaS) or Software-as-a-Service (SaaS) have had data stolen. One in five has experienced an advanced attack against their public cloud infrastructure.
To avoid security incidents that can slow down your momentum, here are some cloud security best practices that can help you take advantage of the cloud while minimizing risk.
Perform a SWOT Analysis for Every Cloud Initiative
As you make the transition to the cloud, a good starting point for assessing risk is to conduct a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis. The first step in undertaking a SWOT analysis is to define your business objectives and the security requirements of your cloud initiative. Then, you’ll want to get a handle on both internal and external security risks to ensure that you have a firm grasp on what you may be up against. The Cloud Security Alliance (CSA) has identified a dozen threats in the latest release of its “Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights” report. These range from data breaches caused by human error or gaps in security coverage and insecure application programming interfaces (APIs) to malicious insiders and advanced persistent threats.
By juxtaposing business objectives against threats, you can maximize the potential benefits of cloud-based applications or implementations while preparing to defend against and mitigate worst-case scenarios. This type of analysis will help you determine where you need to place architectural control points—whether the data resides in devices or in the cloud.
Gain Better Visibility to Cloud Services and Data
Organizations that have tools and technologies in place to provide comprehensive visibility into their cloud environment are at an advantage. They can more easily enforce security policies. They can react to incidents faster. They have a great level of confidence in embracing transformative cloud services. They more quickly reap the benefits of cost savings associated with the cloud. They even have a positive view of Shadow IT and look at it as an indicator of emerging trends and potentially useful applications that help support business demands.
Poor visibility, on the other hand, can result in uncertainty among both IT and executives and may slow down cloud adoption. It’s critical to put in place mechanisms that will help you see what cloud services are being used, where your data is going, and what type of data is being shared.
Adopt a Unified, Coordinated Approach to Cloud Security
Another key best practice is something you’re likely aware of already in your on-premises environment: the value of embracing unified security and avoiding a piecemeal approach. Only a unified approach to cloud security, supported by a security technology solution that protects your data from devices to the cloud, will ensure that all the bases are covered and that there are no security gaps – from sharing of context to improve detection to consistent policies for remediation – between the disparate components.
Integration drives this strategy. For example, seek out a cloud access security broker (CASB) solution that integrates with your endpoint data loss protection so that you can leverage and extend existing DLP policies from the device to the cloud for consistent and persistent protection.
Take Advantage of Automation to Minimize Risk and Exposure
One of the weakest links in most security strategies is human error. Automating security processes is key to ensuring the consistent application of best practices and understanding what happened in the event of a failure or breach. Furthermore, deployment automation and management tools, like Chef, Puppet, or Ansible, can help your team stay on schedule with the rapid pace of cloud-native code development and deployment. By using automation to perform repetitive tasks, your security staff can be freed up to apply their skills and knowledge to analysis, investigation, and development of proactive cloud security strategies.
Proactively Build Security into Your Proprietary Code
Vulnerable application code increases the possibility of a breach and will slow down your journey to the cloud. The best way to improve the quality of your code and reduce exploits is to ensure that a DevSecOps process is integrated into your DevOps process. Don’t be afraid to get in the weeds with executives and department heads about how flawed code is created and why that process needs to be fixed. They will gain an appreciation of why it’s so critical to integrate development, quality assurance, and security processes within business units or application teams in order to keep up with today’s fast-moving business environment.
Update Your Staff on Cloud Security
More than likely, you’re concerned about having insufficient staff with the skills to manage security for the cloud—and you’re not alone. Cybersecurity Ventures reports that by 2021, 3.5 million cybersecurity jobs will go unfilled.
The best way to reduce the impact of the cybersecurity skills shortage is to go with a platform approach to reduce the number of bespoke security technologies that need to be managed, to leverage automation, to build security into the code and thereby avoid the cost, complexity, and frustration of security practitioners who need to police developers post-facto. Another way to reduce the impact of the cybersecurity skills shortage is to leverage best practices and templates whether they be in the use of SaaS cloud services or in the use of IaaS/PaaS cloud services.
There are also several creative strategies to support rapid growth and retain your best people. These involve gamification techniques, real-world penetration testing for cloud vulnerabilities, and opportunities sponsored by other organizations to participate in realistic cyberattack simulations specific to the cloud.
Cultivate a Culture of Cloud Security
For your cloud-driven transformation to be successful, you need to promote a shared responsibility model of cloud security that ties business growth to security. No single individual, organization, or vendor can defeat cybercrime on their own. Every one at every level of your organization—from users to board members—needs to become cloud security savvy. Executives can lead by example by insisting on device-to-cloud security training for every stakeholder and by investing in cybersecurity training for every employee.
Go Forth and Innovate
Companies must be able to innovate without fear; they will be able to move forward more quickly with their digital transformation by investing in cloud security.
Investing in cloud security—the people, technology, and processes—adds value to creative businesses that see the opportunities afforded by going digital. Cloud security innovators are pushing the envelope to help organizations move ahead boldly with their digital transformation. There’s no reason to be left behind. With the cloud, instead of managing servers, networks, and storage, you can focus your attention on your customers and on how best to accelerate your digital transformation. Sure, you’re still responsible for protecting your data in the cloud—but, remember, you don’t have to do it alone.