Research group Thales started the year with a video that posed the question: What’s behind the digital cloud?
While much of the video sounds like boilerplate many of us have heard before — how companies can scale apps and lower costs via the cloud — but in the last minute, the company drills down into the obstacles that companies will face in 2023 as they continue their cloud migrations.
Tops on the list: frequent cyberattacks and how to manage the threat landscape; and regulations and laws like the General Data Protection Regulations (GDPR) in Europe, and the Cloud Act in the United States — which can potentially slow cloud adoption.
SC Media talked to security experts about these challenges and predictably, many shied away from the regulatory and legislative issues and focused more on the business challenge at hand: how to stop the growing threat of cyberattacks.
“The biggest challenge is visibility,” said Timothy Morris, chief security advisor at Tanium. “Many organizations moved from on-premises to cloud with a ‘lift and shift’ mentality. Many of the tools and processes used to manage and monitor those applications and infrastructures are no longer valid. In some cases, the change shifted paradigms and a subset of those tools or processes are no longer needed. However, in other cases organizations must depend upon the cloud provider, new/different tools, and/or have to revamp processes.”
Sundaram Lakshmanan, chief technology officer at Lookout, said another major challenge security teams face this year is consolidating the sprawling array of security tools they’ve accumulated over the years. Lakshmanan said this patchwork approach makes it nearly impossible for teams to maintain full visibility and control over company data and networks. This means teams operate far less efficiently and face cascading problems as a result, rather than getting ahead of potential risks.
“Implementing a unified edge security platform built for the work-from-anywhere world, one that focuses on protecting data wherever it might travel, is a proactive way to address this emerging dynamic,” said Lakshmanan.
How should security teams prioritize?
Craig Burland, chief information security officer at Inversion6, said security organizations should start by helping their organizations understand the shared responsibility model.
“Securing data and assets in the cloud is not the responsibility of the cloud provider,” said Burland “That burden still falls on the organization. This applies to all types of services — SaaS, PaaS, and IaaS.”
Burland said companies also need to adopt and integrate cloud cybersecurity toolsets. Extending on-premises toolsets to the cloud may cause problems for some because the tools lack features, there’s poor cloud platform integration, or an inability to automate. Burland said cloud providers offer their own unique toolsets to manage and monitor cybersecurity.
“Learning the new capabilities and redesigning existing procedures to watch the new environment is key to avoiding incidents,” Burland said.
Lookout’s Lakshmanan added that rather than sinking more dollars into security point-products, organizations need to embrace a comprehensive zero-trust strategy. Lakshmanan said some important elements of this include endpoint protection, adaptive access control with continuous risk assessment, and wrangling "shadow IT."
“In today’s hybrid workforce, employees access corporate resources from a wider variety of devices and locations, so having visibility and the ability to regulate access of these endpoints is essential,” said Lakshmanan. “If suspicious activity is flagged by these endpoint monitoring tools, companies also need to be able to close access to that user pending further examination. This is where adaptive access control and continuous risk assessment come in — users that violate the normative bounds determined by their job function can’t access sensitive information until after the security team has had a chance to verify that the access was legitimate.”
Finally, Inversion6’s Burland said companies need to double-down on awareness. Burland said power users and developers have a great deal of freedom and flexibility in cloud environments to deliver functionality. That freedom and flexibility also creates opportunities for misconfigurations that adds unwanted risk, said Burland.
“Arm these privileged users with knowledge about good and bad practices in the cloud,” Burland said. “Help them understand that they have a role to play in the organization’s cyber defense.”