I joined a number of security professionals at the IBM Security Summit in London last month during the “Innovating With Cloud Security” breakout session, which was hosted by Martin Borrett, chief technology officer (CTO) of IBM Security Europe. The audience took part in discussions about typical cloud transformation journeys, security for and from the cloud, development operations (DevOps) disruption of enterprise security and regulatory expectations.

Audience polls discovered that all of the attendees use cloud services in their business — and the majority use the public multi-cloud. (This is also true for our working environment at IBM.) The audience also reflected our past experiences with polar business attitudes toward security in the cloud. For example, the assumption that the cloud is too insecure for use in the enterprise, or (just the opposite) that security is automatically built into cloud platforms.

What’s more, less than 10 percent of the audience had a formal strategy supported by policies and procedures for security in the cloud.

Cloud Security: For vs. From

It’s essential to distinguish security for the cloud (which protects cloud workloads) and security from the cloud (which safeguards other cloud workloads or on-premises infrastructure and applications).

Examples of security for the cloud include native and off-the-shelf products for identity and access management (IAM), patching and data encryption. Security-as-a-service (SECaaS) offerings for security information and event management (SIEM), IAM and vulnerability and application scanning are examples of security from the cloud.

Regulatory Requirements and the Cloud

Though enterprise workloads are often modified to adapt to the cloud, the standards, regulations and legislation that govern these workloads won’t necessarily change. Where compliance has been achieved in on-premises environments, organizations must assess policies, procedures and controls to determine whether they are still required and (if so) whether they are implemented effectively.

Auditors, in particular, will expect security leaders to account for data sovereignty, IAM, auditability, availability, data classification, encryption, incident management and response and business continuity in the context of the cloud.

Map Your Cloud Transformation Journey

During the breakout session, we talked about the transformation contexts of migrating workloads to the cloud, cloud-native and hybrid cloud. Migration and hybrid were the most popular approaches in the room, in addition to a general desire to move toward cloud-native.

We recommend conducting a current state security assessment and mapping exercise to translate it to the cloud, as well as developing a cloud security strategy. Where security policies, procedures and controls are already documented, refresh these with the cloud environment in mind. Also, look for how the cloud environment can be used to improve, streamline or automate your security enforcing functions. This is particularly true of cloud-native, but it applies to migration and hybrid too.

Infusing Cloud Security Into DevOps

The cloud has enabled new ways of working, including tightly integrated development and operation teams and processes. DevOps has taken advantage of the cloud to enable continuous delivery.

In many cases, DevOps engineers have direct access to cloud environments and are in a position to make and implement business-changing decisions. We need to integrate security into DevOps to take advantage of cloud and deliver security. Developers write application code and operations staffers write infrastructure-as-code (IaC). We need to get in line with this and demonstrate how security-as-code can be part of this process and how a culture of security can help DevOps teams think and behave like security professionals. This will enable us to organically move security to the left within our organizations.

Different Techniques, Same Outcomes

Across everything we discussed, one thing hasn’t changed: the security outcomes we’re aiming to achieve. We’re all using different techniques, implementing more automation and achieving greater efficiency and faster improvements — but all in the name of the same outcomes.

If we change the way we think about security delivery, we can not only secure our cloud workloads, but also drive support for the enterprise as a whole as it transforms to a cloud business.

Read the interactive white paper: One for All — New Parity for Your Enterprise Security

More from Cloud Security

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…