June 18, 2018 By Scott McAvoy 3 min read

I joined a number of security professionals at the IBM Security Summit in London last month during the “Innovating With Cloud Security” breakout session, which was hosted by Martin Borrett, chief technology officer (CTO) of IBM Security Europe. The audience took part in discussions about typical cloud transformation journeys, security for and from the cloud, development operations (DevOps) disruption of enterprise security and regulatory expectations.

Audience polls discovered that all of the attendees use cloud services in their business — and the majority use the public multi-cloud. (This is also true for our working environment at IBM.) The audience also reflected our past experiences with polar business attitudes toward security in the cloud. For example, the assumption that the cloud is too insecure for use in the enterprise, or (just the opposite) that security is automatically built into cloud platforms.

What’s more, less than 10 percent of the audience had a formal strategy supported by policies and procedures for security in the cloud.

Cloud Security: For vs. From

It’s essential to distinguish security for the cloud (which protects cloud workloads) and security from the cloud (which safeguards other cloud workloads or on-premises infrastructure and applications).

Examples of security for the cloud include native and off-the-shelf products for identity and access management (IAM), patching and data encryption. Security-as-a-service (SECaaS) offerings for security information and event management (SIEM), IAM and vulnerability and application scanning are examples of security from the cloud.

Regulatory Requirements and the Cloud

Though enterprise workloads are often modified to adapt to the cloud, the standards, regulations and legislation that govern these workloads won’t necessarily change. Where compliance has been achieved in on-premises environments, organizations must assess policies, procedures and controls to determine whether they are still required and (if so) whether they are implemented effectively.

Auditors, in particular, will expect security leaders to account for data sovereignty, IAM, auditability, availability, data classification, encryption, incident management and response and business continuity in the context of the cloud.

Map Your Cloud Transformation Journey

During the breakout session, we talked about the transformation contexts of migrating workloads to the cloud, cloud-native and hybrid cloud. Migration and hybrid were the most popular approaches in the room, in addition to a general desire to move toward cloud-native.

We recommend conducting a current state security assessment and mapping exercise to translate it to the cloud, as well as developing a cloud security strategy. Where security policies, procedures and controls are already documented, refresh these with the cloud environment in mind. Also, look for how the cloud environment can be used to improve, streamline or automate your security enforcing functions. This is particularly true of cloud-native, but it applies to migration and hybrid too.

Infusing Cloud Security Into DevOps

The cloud has enabled new ways of working, including tightly integrated development and operation teams and processes. DevOps has taken advantage of the cloud to enable continuous delivery.

In many cases, DevOps engineers have direct access to cloud environments and are in a position to make and implement business-changing decisions. We need to integrate security into DevOps to take advantage of cloud and deliver security. Developers write application code and operations staffers write infrastructure-as-code (IaC). We need to get in line with this and demonstrate how security-as-code can be part of this process and how a culture of security can help DevOps teams think and behave like security professionals. This will enable us to organically move security to the left within our organizations.

Different Techniques, Same Outcomes

Across everything we discussed, one thing hasn’t changed: the security outcomes we’re aiming to achieve. We’re all using different techniques, implementing more automation and achieving greater efficiency and faster improvements — but all in the name of the same outcomes.

If we change the way we think about security delivery, we can not only secure our cloud workloads, but also drive support for the enterprise as a whole as it transforms to a cloud business.

Read the interactive white paper: One for All — New Parity for Your Enterprise Security

More from Cloud Security

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today