Cloud computing introduced a paradigm shift in how companies operated, maintained and spent on IT. Through its varied service models (IaaS, PaaS and SaaS), it offers companies the ability to spin up their infrastructure in minutes, auto scale on demand, pay only as per use and offset significant IT costs spent on running and maintaining expensive datacentres albeit at the expense of reduced granularity and control over infrastructure resources.

Whilst the last decade saw a number of enterprises experiment with cloud deployments, the verdict on its business value was still unclear. This has however changed in recent years, primarily due to the speed and tremendous growth of some of cloud’s early adopters (like Netflix and Spotify), which have made cloud a central part of every CIOs digital transformation strategy today.

The Challenge

However, the paradigm shift brought by the cloud has also meant that organisations need to adapt their current operating models and overcome a number of challenges to unlock the true business value from their cloud deployments.

Cloud security is one such challenge since the traditional perimeter based “castle and moat” approach used by enterprises for security does not bode well in the new hybrid environment where enterprise IT consists of a mix of SaaS, on-prem and public cloud deployments.

Not-so-distant examples of high-profile data breaches in the cloud are a stark reminder of the need for cloud security. The global pandemic due to COVID-19 has only intensified cyber-criminal activity, with a recent analysis by the IBM X-Force IRIS team of cloud security incidents identifying data theft, cryptomining, and ransomware as the top three threats to the cloud.

So How Do You Secure Your Cloud Journey?

Enterprise CISOs need a programmatic approach that can be applied at any level, irrespective of the state of your cloud journey (initial adoption, in transformation, mature steady state environment).

Part 1: Plan (or Review)

As a first step in securing your cloud journey, you must plan (or review) your strategy and roadmap. This means assessing the current state of your IT and cloud security maturity (spanning across business and technical needs).

The Cloud Controls Matrix from the Cloud Security Alliance is a good tool for performing such an assessment. If your enterprise does not yet have a cloud implementation, then its 197 control objectives can act as a good guide for defining security controls that need implementation. For existing cloud deployments, organisations may additionally use a cloud security posture management tool for checking their resource configuration compliance.

What’s Right for You?

Once you have assessed your current state maturity, you must define your desired target state. This should be based on your organisation’s risk appetite, your regulatory and compliance requirements, as well as wider business goals and objectives.

You can then identify the gap in skills and processes between your organisation’s current state and desired state maturity. The final outcome of the planning phase should be a roadmap of activities you need to transition to a targeted state. For organisations that are already operating in a steady state environment, the planning phase acts as a reset to allow you to review your cloud security maturity and to adjust your strategy and roadmap accordingly.

Part 2: Build (or Design and Build)

The specifics of the next step depend on the outcome of your planning (or review) phase and the roadmap you made. Next, you should begin a program of work to achieve your desired target state.

Depending on where you are in your cloud adoption journey, your roadmap will be unique to you. For example, if you are early in your cloud adoption journey, your roadmap may include defining your cloud security policies and requirements, defining your security architecture principles, architecting your secure landing zone and creating hardened configurations for your cloud infrastructure.

Whereas, if you are already operating in the cloud, your build phase may include activities for remediation of identified gaps from your cloud security posture assessment and/or augmentation of existing cloud security controls based on new requirements.

The key during your build phase is to ensure you integrate security by design. In other words, your security controls should be automatically provisioned to meet your corporate and regulatory compliance requirements. Whilst this was a stretch a few years ago, the advent of technologies such as Infrastructure-as-Code (IaC) has made this a very achievable outcome.

Part 3: Run (Optimize)

As you close your final roadmap of activities, you must now start preparing for the transition to steady state. Ideally, by now you would have built and augmented your cloud security controls and processes across each of the below areas (at a minimum):

  • Governance and Resources — Developed a security organization model suited for operating in the cloud, along with a team of skilled resources supporting it.
  • Identity and Access Management (IAM) — Developed an IAM strategy for your hybrid or fully cloud-native environment. Built, deployed and operationalized IAM services such as single sign-on/federation (with multifactor authentication) across your environments; and have properly tested and configured IAM security policies to ensure authentication and access control is maintained according to a least privilege model.
  • Infrastructure Security — Created hardened IaC templates for your cloud resources. At this stage, you should have enabled secure connections to and from your cloud and on-prem tools. You should also have a secure landing zone for migrating your on-prem apps and data to the cloud.
  • Application Security — Created and operationalized a well-defined DevSecOps process that includes security touch points (code reviews, static application security testing/dynamic application security testing scans and smoke tests). These should be built into the various phases of your continuous integration/continuous deployment pipeline. You should also have deployed and enabled runtime safeguards for web security, such as distributed denial-of-service (DDoS) protection, firewalls, application programming interface gateways and application load balancers.
  • Data Protection — Defined data encryption policies and guidelines that guide your data at rest and data in transit encryption requirements. Deployed capabilities for data loss prevention, data encryption and key lifecycle management in line with your regulatory and compliance needs.
  • Logging and Monitoring — Enabled logging of security events, and network flows from across your environment. Perform vulnerability scanning / continuous compliance monitoring of your on-prem / cloud resources and a have single pane of glass to centralize security visibility.
  • Cloud Incident Response — Developed a cyber incident response (IR) plan with defined playbooks to cater to a variety of cloud security incidents. Perform table-top testing of your IR plan at least on an annual basis.

Making Your Cloud Security Transformation Journey Smoother

Whilst there are many challenges to achieving a successful cloud security transformation, opting for a strategic Systems Integrator (SI) and Managed Security Services provider like IBM Security can certainly help make the journey smoother.

Systems Integrators bring in a wealth of experience and know-how of having delivered transformations, and also provide seasoned security resources and skills that can accelerate your transformation journey. For more information on how IBM Security can help secure your cloud journey, please visit IBM Security – Cloud Security Solutions.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today