7 steps to achieving cloud security success

By Jim Fulton, Senior Director of SASE and Zero Trust.

  • 2 years ago Posted in

We all know just how testing the last years has been for the IT and cybersecurity industry. The sudden shift to remote working changed what were our five-year digital transformation plans into an accelerated jolt towards using the cloud in new and extended ways, enabling employees to access data securely, and continue working.

However, dealing with this new environment, especially when we’re storing critical data in the cloud can feel daunting – particularly with the pressure of security breach fines looming over our heads. 

In fact, research reveals that 75% of cloud, IT and security professionals view the public cloud as more secure than their own organisations’ data centres. Despite this, 92% say their business has a gap between current and planned cloud usage, and the maturity of their cloud programme.

Some sceptics will question whether the cloud is secure. However, as industry professionals we know that the question we should really be asking is if we’re using cloud securely. At the end of the day, cloud is a tool, and how we protect our data within it will rely to a certain extent on our practices and security policies. And this is something, understandably considering the circumstances, that hasn’t been mastered by all businesses.

However, when we do get the policies and practices right, the benefits of cloud extend way beyond just facilitating remote working. They include faster, more consistent application provisioning and enhanced computing power. 

There are seven key steps which can be taken to improve cloud security quickly and invite the advantages of cloud, rather than the risks.

Seven steps to cloud security success

Protecting data within the cloud isn’t so much about implementing many different types of security, but more about being proficient in the specific areas that are going to make it really difficult for a cloud security infrastructure to be penetrated. Of course, this isn’t that easy when dealing with an unfamiliar environment because it’s hard to know where to focus attention. But, by following these seven key steps for cloud security success, we can avoid data loss, manage privileged user access appropriately and limit the number of tools to maintain, reducing both spending and administration time.

1. Develop a thorough cloud strategy that is shared by all

Avoid having disparate cloud initiatives scattered across the company. Instead, build a strategy that encompasses the entire organisation. This can be done by forming a focus group with participants from across the business and who then construct guidelines together. Think about objectives, benefits, risks, key adoption criteria, and how to link to business strategy. Then select cloud platform providers who can help you track and understand who within your organisation are making use of cloud resources.

2. Define security policies, procedures, and controls consistent with your environment

It’s important that the privacy and security controls you use in the cloud are consistent with those you use on-premises; otherwise you leave yourself open to cyberattacks. Where possible, find ways to extend policies, procedures, and controls into the cloud to keep operations consistent and avoid the costs associated with having redundant systems. This starts by identifying what’s currently in place, what the CSP’s (cloud security provider) security practices are, and what needs to be done to optimise protection.

3. Draw clear lines of responsibility

Cloud security is a shared responsibility between an organisation and its CSP so IT leaders must make sure everyone knows who is doing what, so no stone is left unturned. Usually CSPs will be responsible for the cloud environment, and the customer will be responsible for protecting what’s in the cloud, which includes data and users.

4. Review the cloud’s configuration

Misconfigurations are one of the most common pitfalls when implementing security in cloud. Check that the cloud’s platform details are set up for interoperability and communication across remote locations. It’s important to confirm that the CSP’s configurations are compliant with specific industry and government regulations. Most importantly, make sure that you have ways of enforcing your enterprise data security policies in each of the cloud environments consistent with what you enforce on-premises.

5. Create a cloud-specific security reference architecture

Some 95% of cloud security failures are the fault of subscribers, according to industry analysts. With this in mind, it’s important to build a reference architecture. When doing this, we must make sure that identity access management, application security, data security, and data activity monitoring are incorporated.

6. Accept responsibility for compliance

IT leaders and administrators cannot just rely on the CSPs regulatory compliance because this won’t cover the full use of the cloud environment. So, it’s important to assess the CSP’s security practices and develop additional controls for the security risk management framework. This can easily be done by using pre-built templates and automation tools. Make sure that the policies you enforce in the cloud are extension of what you enforce elsewhere to prevent gaps or redundancies from creeping in.

7. Continuously scan and monitor the cloud environment

The cloud environment, and actions taken within it, aren’t static, Therefore, security processes can’t be stationary either. You must scan and monitor cloud environments regularly. To do this, IT administrators must introduce a security posture assessment, the ability to observe behaviours, and deep behavioural context for alerts.

Security can never stop 100% of all attacks. Cyberattacks continue to evolve. There’s always a risk of insider threats, and despite best efforts, people will make mistakes that could cause security incidents.  However, if we all carrying out these steps, we as an industry will be much more likely to have a cloud security programme that keep apace with these risks, enabling employees and data to remain as protected as they possibly can be – all while reaping the rewards of being a cloud-based business.

[END]

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.