The news is — with 3,657 words, non-hyphenated research, and the best thought building material — it’s recommended to wade through this article on a comfy seat with a hot cup of tea/coffee. Enjoy the read…
Table of Contents
- Understanding Cloud Computing
- Types of Cloud Deployment Models
- Types of Cloud Service Models: The cloud computing stack
- Fencing the Cloud to Minimize Security Breaches, Maximize Security
- Recommendations for Cloud Governance & Cloud Risk Management
- Getting Rid of Legacy Roadblocks: Consider “lift-and-shift”
- What’s the Right Choice for My Business?
- What ISC’s Cloud Security Report 2021 Has To say
- The Role of Emerging Technologies in Securing Companies’ Cloud-first Initiatives
- Data Security Resilience: Adhere to These Regulatory Compliance Frameworks
Understanding Cloud Computing
A big shift from the traditional way an organization thinks about IT, cloud computing is a disruptive technology that enables users to tap into the benefits of computing infrastructure. Built on the foundation to scale, cloud computing has better positioned executives to enhance collaboration amongst teams and data availability throughout the organization — over the internet (“the cloud”).
ISO/EC defines cloud computing as, “Paradigm for enabling network access to a scalable and elastic pool of sharable physical or virtual resources with self-service provisioning and administration on-demand.”
In short, cloud computing has enabled organizations to rent as many computing resources as they need from cloud service providers. Moreover, you pay only for cloud services you use — lowering: Operations, infrastructure building, and maintenance costs; and improving: Productivity, performance, reliability, and security.
Types of Cloud Deployment Models
There are three main types of cloud computing models: Public cloud, private cloud, and hybrid cloud. But before deployment, you need to discover which cloud deployment model best suits your business curiosities.
- Public cloud: The public cloud infrastructure is managed and owned by a third-party provider, physical infrastructure is located off-premises. The services are mainly consumed by the general public or a large industry group. You access services and manage accounts using a web browser.
- Hybrid cloud: The Hybrid cloud infrastructure is managed and owned by an organization and a third-party provider. Two or more entities own the infrastructure; the access is restricted but not limited to trusted users only. The infrastructure’s physical location might be on-premises or off-premises. Hybrid cloud enables greater flexibility and provides more deployment options which help to optimize the existing infrastructure, security, and compliance regulations.
- Private cloud: The private cloud infrastructure is managed and owned by a single organization, and access is limited to trusted users only. Services and infrastructure are maintained on a private network — becoming the safest option for organizations that value security the most.
Types of Cloud Service Models: The cloud computing stack
To simplify things, think of it this way: Software as a service (SaaS) is built on Platform as a Service (PaaS), which is built on Infrastructure as a Service (IaaS). Let’s discuss them in greater depth.
- Infrastructure as a Service (IaaS): IaaS cloud service model offers access to basic computing infrastructure like storage, networks, servers on a pay-as-you-go basis. Some famous IaaS cloud computing companies are IBM Cloud, Amazon AWS, Microsoft Azure, Red Hat, etc.
- Platform as a Service (PaaS): PaaS cloud service model offers an on-demand environment for developing, testing, delivering, and managing software applications. PaaS provides fully managed underlying computing services like servers, networks, or other infrastructure. Top PaaS providers are AWS Elastic Beanstalk, Oracle Cloud Platform, Google App Engine, Microsoft Azure, Salesforce aPaaS, Red Hat OpenShift PaaS, etc.
- Software as a Service (SaaS): SaaS cloud service is a fully developed software application that users access over the internet — on a web browser or a mobile application. The applications are fully managed and hosted by the service provider. Hevo is an example of a SaaS application which is highly trusted by data-driven companies in the world. Other famous SaaS applications are HubSpot, Salesforce, Slack — even Netflix, and Amazon Prime.
Fencing the Cloud to Minimize Security Breaches, Maximize Security
On the brighter note, with the emergence of cloud computing, the ability to access and obtain information has increased seamlessly. Hence, leaders have quickly understood their dependence on cloud technology which enables employees to work from home, in order to achieve better, sustainable results — in cost, speed, enablement, service levels, and resilience and continuity.
Studies suggest, prompt adopters of cloud technology have been realizing technological, operational, and security challenges early, achieving expected cloud benefits quicker — outperforming those not-so resilient to the change.
The influx of third-party Managed Service Providers (MSPs) into the markets is at the crux of this exodus of data from on-site premises to fully managed cloud storage facilities. And leaders are leveraging this imperative to transform, which impacts businesses worldwide. One common theme of organizations quickly adopting MSPs and other cloud computing services is the executives’ alleviated pains, intertwined with measured success and expected gains out by fully transitioning to the digital, bringing us to the question; can we trust our data in the cloud?
It’s true, stakes are high for organizations leveraging cloud over legacy infrastructure. And, now the seriousness is catching up with a realization as lack of data security awareness threatens business integrity in highly competitive, tech-savvy markets, putting immense pressure on executives to eventuate scenarios where their data might be at the risk of getting exposed — due to threats from both within and outside the organization. So, it has become more important than ever for the leadership to take precautionary steps while adopting cloud services and strategizing for the long term.
Business leaders are on the lookout for an agile solution that should answer most, if not all, the prevailing concerns. The top three concerns listed out by the leaders were, according to the Accenture report:
- Security & compliance risks (46%)
- Legacy infrastructure & application sprawl (40%)
- Misalignment between IT and the business (40%)
We will continue to talk about these three governing parameters throughout the article.
As executives dive deep into the nitty-gritty of cloud applications and some of the more prevalent security lags, a theme has to be set for a holistic survival plan and a basic understanding of how these technologies and threats execute.
Recommendations for Cloud Governance & Cloud Risk Management
Cloud governance and risk management are two areas of focus for any cloud deployment. Before entering into a business partnership, learning how an organization is directed and controlled, follow-ups regarding the data sharing policies, and internal controls are essential. Most of the governance models are similar, and most adhere to five basic principles:
- Auditing the supply chain management;
- Evaluating board and management structure;
- Corporate responsibility, including compliance and obligations;
- Financial management and transparency in the processes; and
- Ownership structure and control.
Under domain 2 of the CSA’s Security Guidance, leaders can levy the cloud governance recommendations focussing on external providers, such as the SaaS enterprises to control costs, minimize security risks, improve efficiency, and accelerate deployment. The CSA recommendations focus on three main aspects — contracts, supplier assessments, and compliance reporting.
- Contracts: The supplier-customer relationship is based on the contractual agreement, a legal adhesive that is the only guarantee, commitment for any service. Hence, making a contract the primary tool for data governance, for buyers as well as the suppliers. In a modern business framework, like the SaaS, service details are set forth in the standard agreement, which makes it easier for the user to know the terms of services beforehand — benefiting both parties.
- Supplier Assessments: Supplier assessment rests at the core of the cloud risk management program. These assessments are carried out on specific legal, contractual, and business credentials, including financial viability, history, feature offerings, third-party attestations, feedback from peers, etc. Ironically, from the sales perspective, it’s imperative to move away from sales-led. So, the assessment process has shifted to service-led to make hands-on evaluation easy and more cognitive, like a restaurant where self-service is preferred.
- Compliance Reporting: Organizations can perform compliance reporting internally or through an independent third-party auditor to provide validations to their requirements. Many a time (most of the time), SaaS providers provide users documentation and comprehensive data security compliance reporting. It’s users’ responsibility to meet the SaaS providers’ standards and ask/look for the necessary information to ensure compliance, too.
Getting Rid of Legacy Roadblocks: Consider “lift-and-shift”
A smooth transition from legacy systems to cloud with a decluttered approach might be difficult for organizations due to many factors ranging from the cost of transitioning to lack of skills; moreover, in a 2018 research, 70% of the leadership preferred to keep running legacy systems, as long as possible. Yet, on the other hand, the urgency to shift to the cloud was never questioned. A great example would be in the insurance sector. The same research cites an example of how an insurance company increased its auto policy sales by 350%, by justly embracing cloud and its sister technologies. Leading us to the question: Should we get rid of all our legacy infrastructure?
The answer is no. But, consider “lift-and-shift”. For organizations new to cloud computing, it would be a good alternative not to redesign already existing workflow applications but instead deploying a copy of on-premises applications in the cloud, reducing costs in the short run.
For the long term, consider building on the principles of the supply-chain system rather than building from scratch, which means shifting from the traditional approach and leveraging the commercial off-the-shelf solutions. This approach promotes a shared security responsibility model, which means the service provider and the user both take shared responsibility for data security. Today, the shared security responsibility model has become imperative for mitigating data security risks and legal vulnerabilities.
What’s the Right Choice for My Business?
Let your immediate business decisions dictate the theme for future business outcomes. Let’s explain this using real-world examples of some companies that leveraged the right cloud choices — Software as a service (SaaS), infrastructure as a service (IaaS), and Platform as a service (PaaS) — to achieve greater business success.
Rolls Royce transitioned to a cloud-based HR system to generate an accurate picture of its business deployment and human resource capital, spanning 46 countries. Before, the company faced issues with its legacy systems, which proved inadequate to manage and report certain skills and talents of its employees.
Del Monte, an Accenture client, transformed its IT infrastructure in less than four months leveraging IaaS and PaaS models, seamlessly improving applications’ management and visibility into IT spending — achieving greater consumer satisfaction, cost-saving, and operational efficiency.
In short, cloud computing is not one size fits all. To leverage the economies of scale, organizations need to adapt to changing requirements and realities and ask themselves; how and where to get started?
Consider this general principle: IaaS helps organizations exploit data storage and computing resources by just simply renting them out — substantially reducing maintenance and purchase costs. PaaS remains the popular choice for organizations that want to build unique applications without making significant financial investments. And SaaS, the most commonly used cloud application service, helps organizations/users to access software applications virtually anywhere.
But, what about the best practices to mitigate incidents where sensitive data might get exposed or leak? The answer is simple: Again, start hoovering across the basics of the shared security responsibility model for the cloud, three best practices for data security will gather most, if not all, the attention.
But, before we continue, it’s important to understand, the shared security responsibility model is a two-way streak, it’s the providers’ responsibility to assure the applications you build/operate on top of will not compromise your data. And it’s your organization’s responsibility to keep the data safe too, by following the security guidelines set by a provider — the most reliable source for building a resilient security strategy is the NIST cloud security reference architecture (It’s a policy framework and includes sets of best practices that every organization must follow).
So, the three best practices are — keeping the principles of the shared security responsibility model intact:
- Defining the role of the users: Securing user profiles has become more important than ever. Hence, in a fast-paced work environment, keeping critical data’s access limited to privileged only profiles or the top management must become the standard. On the other hand, imparting knowledge to the employees about ‘chain-of-command,’ or the rules to follow while interacting or sharing certain files/data (outside or within an organization) will help organizations mitigate much of the risk.
- Adopting best practices while in the software developing phase: Because all the data’s responsibility falls on to the shoulders of organizations, it becomes imperative to follow the best practices around secure and compliant coding, while being in the software developing process itself. The software development lifecycle’s agility is key to building sustainable, secure, and compliant software within cloud ecosystems.
- Positioning DevSecOps: Organizations need to have strong testing, engineering, compliance, and security environment — putting in place a holistic DevSecOps practice might be a solution. DevSecOps conducts comprehensive testing routines to ensure reduced risk by running tests against software in the pipeline to map out its robustness in terms of security and compliance.
What ISC’s Cloud Security Report 2021 Has To say
ISC’s cloud security report has been at the forefront of seeking the latest trends and concerns of new cloud adopters. The Cloud Security Report 2021 delivers crucial insights into prevailing fears of consumers — from shortcomings to the know-how(s) of today’s industries and reshaping business alignments, especially on the back of the COVID-19 pandemic.
The news is, organizations are looking forward and promptly migrating to the cloud. And, due to the COVID-19 pandemic, the pace of migration has picked pace, leaving the door open for hostile users and hard-to-find incidents — worldwide.
Growing Insecurities and Depleting Confidence in Cloud Security Posture
The sudden shift to the digital has been making executives nervous. Almost 96% of executives expressed being at least moderately concerned about public cloud security because it disrupts traditional data security models. Moreover, when asked, “How confident are you in your organization’s cloud security posture?” The ISC report documented a fall in confidence — 66% in 2020 said, “are not at all confident” to 72% in 2021. Some of the data security concerns were also listed out — data loss (64%), data privacy (62%), and accidental exposure of credentials (45%).
Nevertheless, according to the McKinsey Report, organizations can develop consistent approaches to help mitigate data security risks by creating a cloud-centric data security model, redesigning or realigning cloud access controls, understanding the split in responsibilities of the shared security model, and principling out how DevOps can be positioned to tackle data security challenges.
Operational Security Issues, Barriers to Cloud Adoption, and Cloud Data Security Threats
Compared to ISC’s last year survey, the realization about operations, adoption, and cloud security threats has been picking pace in the cybersecurity professionals’ community, as organizations have been quick to migrate to the cloud. And most organizations have faced qualification, compliance, and operational issues as complexities in adoption are increasing.
In the ISC’s report, most professionals voted lack of qualified staff (49%), compliance (40%), and visibility into infrastructure security (36%) the greatest of the day-to-day challenges. On the other hand, at thirty-nine percent (39%), lack of staff and expertise proved to be the most significant barrier to cloud adoption, hinting at a shortage of experienced cybersecurity professionals in the hiring markets, followed by Data security, loss & leakage risks (34%); Legal & regulatory compliance (32%). And when asked about the biggest security threats in the public cloud, the top four contenders were:
- Misconfiguration of the cloud platform (67%).
- Exfiltration of sensitive data (59%).
- Unauthorized access (49%).
- Insecure interfaces/APIs (49%).
Skill Lag Exists, But It’s Still Possible to Reimagine Business
The most prominent business challenge prevailing throughout the ISC report was the skill lag and lack of readiness in operational and conceptual understanding, directly impacting executives’ decision making, affecting their ability to secure data, making organizations’ confidence in their overall security readiness at a record low at seventy-three percent (73%). Furthermore, seventy-eight percent (78%) believed their teams could benefit from cloud security training and/or certification.
Reimagining the business to tap into the full potential of the economies of scale, organizations need to delink themselves from the traditional business model and start thinking about the fundamentals again.
For example, Takeda, a biopharmaceutical company, modernized its entire business outlook by migrating 80% of its applications to the cloud. Due to this transition, Takeda delivered better experiences to their patients and successfully cut costs, time to insight, and discovery. In the process, the company also plans to accelerate its cloud-first business outpost, creating hundreds of new jobs in specialized roles in emerging data and digital fields, accessing new talent pools, and upskilling thousands of employees. Hence, there is no shortcut here, but making aggressive plans today is an essential first step.
The Role of Emerging Technologies in Securing Companies’ Cloud-first Initiatives
Though emerging technologies such as AI, Ml, and automation aren’t yet integral or even matured to handle business operations today, they are gaining considerable momentum across the globe. Due to rapid digitization, the attack surface for malicious aggressors has increased. And incumbents have been quick to acknowledge roles that new technology prospects will play in protecting our workspaces.
The DXC report suggests that a majority, 91%, rate Data analytics somewhat to very important for their business operations, and 85% rate it somewhat to very important for security operations. 62% rate Artificial Intelligence/Machine Learning somewhat to very important for their business operations, and for their security operations, 61%. About 80% and 77% rate automation somewhat to very important for their business operations and security operations respectively.
Emerging Technologies are Still in the Nascent Stages of Development
Though imperfect, emerging technologies have evolved significantly over time. Already, security professionals have been using advanced tech to block threats by detecting unusual behaviors which are hard to detect for humans.
Again, one exceptional example would be of Takeda, which maneuvered its 80% online business footprint to the cloud, also have plans to leverage AI and cloud to empower its workforce with added assistance — to help employees make better decisions, deliver transformative therapies, and better experiences to patients, and physicians.
Moreover, cloud computing benefits from AI-based solutions and vice-versa. There are two schools of thought: First, the merger of AI and cloud to form a whole new entity called AI software-as-a-service; and second, the consolidation of data in the cloud with AI capabilities to power predictive analytics and related technologies. AI-driven initiatives can provide strategic depth to an organization for better decision-making. Hence, backed by the cloud’s flexibility, agility, and scale, AI’s scope of influence and share is destined to increase.
But, for now, leaders are very much concerned about issues like liability, social risks, skill lag, perpetuating biases, and security worries. Leaders are anxious, and companies struggle to manage risk because of many layers of organizational depths — legal, compliance, privacy, third-party risks, etc.
Data Security Resilience: Adhere to These Regulatory Compliance Frameworks
To be honest, today’s organizations have little to no say in regulatory compliance matters because the mighty governments of the world regulate them. More often than not, organizations have to adhere to the regulations to be able to work in certain geographies and/or with governments. In most cases, these regulations have become the standard to abide by in order to do business with large corporations, too.
Some compliance obligations are as follows: Statutory, regulatory, contractual, and legal. Altogether, today’s organizations must surrender to these standard requirements to prove they have a resilient security mechanism in place, which gets recognized in the field of the organization’s expertise.
In 2021 there are several important regulatory compliance frameworks to know and keep track of, especially which regulatory compliance framework applies to and for what. Some of them are as follows:
- The Health Insurance Portability and Accountability Act (HIPAA): HIPAA, introduced in 1996, is among the best known regulatory compliance framework which sets standards regarding creating, storing, and transmitting health data for US healthcare organizations and partners. Learn more about HIPAA.
- The California Consumer Privacy Act (CCPA): CCPA came into effect in 2020. It’s a powerful consumer privacy and security law. The law applies to all the organizations that are legal entities that do business in the state of California and collect data of residents living in California. Learn more about CCPA.
- The General Data Protection Regulation (GDPR): GDPR applies to any business entity which, in any way, interacts with an EU resident and/or collects their personal data. More specifically, GDPR has a compliance checklist that every business entity has to comply with. Learn more about GDPR.
- The Payment Card Industry Data Security Standard (PCI DSS): PCI DSS, introduced in 2004, is a security standard set and administered by the Payment Card Industry Security Standards Council. It was introduced to decrease payment fraud and to help protect cardholders’ data. Learn more about PCI DSS.
- Sarbanes-Oxley Act (SOX): SOX is a United States federal law enacted to protect shareholders and the general public from widespread accounting fraud and misrepresentation in public and private companies by improving the accuracy of corporate disclosures. All US public companies need to comply with the requirements of SOX. Learn more about SOX.
Indeed, the paradigm has been shifting for companies today struggling with the security risks of implementing new technologies such as the cloud and artificial intelligence (AI), and machine learning (ML). With this shift, the need to secure workspaces and business data has also emerged. That said, achieving expected results with the cloud’s full potential requires much more than technology.
2021 requires quick adaptability, a compliance framework for new technologies and ways of working, a new operations model, and new roles and skills, which is an uphill battle. With no one size fits all philosophy in mind, it is required to pivot and resize vision into strategies that are very much inspired by the industry itself. Hence, companies that start now on their transformation will increase their business agility with a scalable, flexible, and resilient approach to IT and data security.