Can having a mature, comprehensive cloud security strategy reduce the impact of data breaches on your organization? Results from the latest Cost of a Data Breach Report indicate that taking this approach might produce potential savings for your business.

Among other findings, the report noted that the mature use of security analytics was associated with lower breach costs. Organizations with a mature use of security analytics had an average total cost of a breach of $1.32 million less than organizations with a less mature use of analytics — a difference in cost of 32.9%.

IBM Security sponsored and published the 2021 study of 537 breaches across 17 countries and regions and 17 different industries, based on research by the Ponemon Institute.

The Differences Between Cloud Environments Regarding Data Breaches

The report found that enterprises surveyed using hybrid cloud deployments had the lowest average total cost of a data breach compared to public or private cloud deployments. Hybrid cloud breaches cost an average of $1.19 million less than public cloud breaches — a difference in cost of 28.3%.

If your organization is already using a hybrid cloud environment, you’ve probably considered the following issues:

  • Exploring the varying shared responsibility model between cloud service providers and consuming organizations across hybrid cloud
  • Understanding and translating regulatory and compliance mandates into security policies and implementing a rationalized set of technical and operational controls that work consistently across hybrid cloud
  • Discovering where and how data is created, migrated, accessed and processed, and securing that data
  • Deploying ‘secure by design’ principles throughout the lifecycle of applications built in your organization
  • Detecting and responding to threats across hybrid cloud rapidly, even with limited resources, by relying on artificial intelligence and machine learning technology capabilities.
Download the Report

Securing a hybrid cloud environment needs to evolve continuously. The reasons include new cloud products and feature releases, evolving threat landscape and changing business usage of cloud. The following four pillars are essential for establishing a cloud security charter that enables you to minimize risk, drive agility and operate efficiently:

  1. Manage risk and compliance with prescriptive controls
  2. Ensure data-centric protection with zero trust architecture
  3. Achieve continuous detection and response
  4. Infuse security and privacy with DevSecOps.

By building a cloud security program on these pillars, your enterprise can develop a system that enhances hybrid cloud security collaboratively between business executives, IT leaders and auditors. Consider these basic elements of each pillar:

Manage Risk and Compliance with Prescriptive Controls

A risk and compliance controls-driven, well-designed and implemented hybrid cloud can protect against data breaches and save on costs. The Cost of a Data Breach report shows enterprises with extensive cloud migration paid nearly $1.66 million more for a data breach than enterprises with a low level of cloud migration. These figures indicate that attempting rampant cloud adoption without due consideration for secure and compliant landing zones, cloud operating model and so on is riskier than having a well-defined strategy towards the cloud.

Organizations must deal with various regulations and standards when handling data. Some standards and regulations are global, while others are country or industry specific.

IBM Security uses a continuous security and compliance framework tailored to clients’ industries and geographies to drive their security and risk management. IBM’s experts use this framework to arrive at a tailored set of controls that address the myriad complexities of data security clients face.

The technical controls that drive workload security across the hybrid cloud determine if workloads should reside on-premises or on public and private clouds. Those controls should be implemented consistently across those workloads.

IBM Security’s continuous compliance function runs on top of the controls to ensure that they are implemented early and managed consistently. IBM maps policies to controls for specific situations for each client, including pre-provisioning guardrails and post-provisioning continuous posture validation and reporting.

Ensure Data-Centric Protection with Zero Trust

In on-premises and cloud environments, the security domains remain the same, but the mechanisms of addressing those domains differ, often significantly. You need a holistic approach when addressing this pillar.

For example, for on-premises, a very clearly defined perimeter is usually well secured. In contrast, for cloud, there’s often no perimeter — identity management, micro-segmentation and workload isolation become the key protection tools for your containers and server endpoints.

A zero trust security approach recognizes these nuances and defines policies consistently for both environments. Data-centric protection requires a zero trust architecture that includes network security, identity and access management, application security and data protection. Read more about how zero trust adoption influences the cost of data breaches.

Achieve Continuous Detection and Response

Security is a shared responsibility. Say you have engineers or architects in DevOps who need automation and frictionless, easy-to-implement workload deployment mechanisms quickly. At the same time, your enterprise’s security officer wants optimal protection and visibility to ensure the workloads comply with both regulatory compliance and corporate security policies. This pillar provides the solution for both parties.

An effective collaboration across an enterprise’s hybrid cloud has members from the applications or line-of-business team, the IT infrastructure team and the chief information security officer (CISO) or security team taking the following steps:

  • Detect and understand security threats and events
  • Collaborate to prevent such threats
  • Investigate and respond to incidents collaboratively.

This process embeds threat management into the lifecycle of hybrid cloud operations. You can prioritize events, navigate multiple tools and data sources to investigate threats and reduce manual processes and tools to resolve security incidents.

Infuse Security and Privacy With DevSecOps

Implementing DevSecOps leads to more cloud security and agility. Your organization can reduce the impact of a data breach as a result. However, to reach that position requires an initial change in your work culture. This pillar involves altering your ways of working within your organization across business developers and IT operations.

For this pillar, teams adopt a new culture with a new set of skills and orientations toward what areas that team should focus on, aligning strategy, governance, risk and compliance. The changes include the following security-related activities within the DevOps process:

  • Plan and design — perform threat modeling, design security reference architectures
  • Code and build — secure data, applications and infrastructure
  • Deploy and enforce — harden applications, integrate telemetry
  • Monitor and respond — manage threats and compliance.

Team members deliver these changes by examining the hybrid cloud platform and the capabilities that drive security by means of processes, which is DevSecOps. Wrapped around these changes are a management and governance approach that confers the benefits to your organization’s executive board members and other stakeholders involved in risk and compliance. This buy-in is critical for the pillar to succeed.

How to Get Started in Cloud Security

The actions you need to take depend on your situation. If you need and want to build a hybrid cloud platform for your organization, consider the use of such platforms as Red Hat Open Shift. Should you already have a hybrid cloud platform, listen to this podcast to learn more about how to develop a robust cloud security strategy.

Make sure to register for the 2021 Cost of a Data Breach Report to review more key findings and recommendations on cloud security.

More from Zero Trust

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…