How could shifting left fast forward your cloud security strategy?

As the cloud moves from mainstream to mainstay, organizations need to get smart on their cloud strategy now.

As we emerge from the global pandemic, ongoing digital transformation and work anywhere policies are accelerating cloud adoption. At the same time,  cyber security continues to be a major cause of concern. Given that a “no cloud” strategy in five years will feel like a “no internet” strategy today, it’s vital not to leave trust to chance. Organizations should start now to implement smart cloud strategies that enable their business and address security concerns. In doing so, they should focus on three key steps:

1. Embrace cloud-native technology and principles to enable ubiquitous security
2. Shift left to consider security at every stage of the cloud lifecycle
3. Establish a culture of excellence with key internal talent and strong external partners 

When it comes to infrastructure, the public cloud is set to be inherently more secure due to large investments by the cloud providers. However, companies still need to render adequate controls, particularly over data that is processed in the cloud. In a study by AMS, 95% of organizations admitted to be being concerned about cloud security, with 29% extremely concerned and a further 42% very concerned. Specifically, 67% were concerned about data leakage, 61% about data privacy and 49% about accidental disclosure of credentials. The truth is that many cloud security concepts simply don’t address these concerns adequately. Companies should start with clear roadmap that covers the cloud provider’s as well as their own responsibilities. But they need to keep in mind: the shared responsibility model embraced by most cloud providers shouldn’t be confused with a security safety net. While certain security functions such as patch or vulnerability management can be delegated to the cloud provider, risks cannot be transferred to the provider. 

We believe that strong cloud security governance is needed, so that organizations can provide much-needed visibility and execute the right level of controls for their business. As the regulatory landscape catches up with technological advances, legislation is likely to mandate stronger cloud security governance for all companies, not just those operating in sectors already required or recommended to adhere to stringent security standards.  Whether required by law or not, many companies are keen to future-proof their cloud environment. However, many experience challenges along the way.

Although the cloud is well established, there is still often hype around applications and solutions. Significant interest from the capital markets drives this to some extent. At the same time, periods of hype have in the past given way to incremental security improvements – a positive development for all stakeholders. Providers have raced to create comprehensive cloud hosting and security packages. While this may seem convenient at first, reliance on such models can restrict freedom of choice when it comes to integrating competitive security solutions.

At present, highly fragmented technology across the cloud solution space can make it difficult to know where to head with your cloud strategy. Business leaders can feel overwhelmed by choice, especially as there is often considerable overlap between providers and solutions. And technology moves fast. Depending on where an organization stands on the cloud transformation journey, point solutions can be a short-term fix, but will often add to the complexity of the cloud environment and drive silos – the very opposite of the cloud intention.

Partnering with a knowledgeable external partner can help. At EY, we aim to take the burden of compliance and risk out of the client’s cloud journey. From design, build and operation. With that we strive to be the nr 1 cloud security services provider for regulated industry within the next couple of years.

Whether you’re an early or late adopter, now’s time to get cloud smart. This means adopting the cloud where it makes sense from a business, regulatory and compliance perspective. It also means retaining whatever function is necessary; and being bold enough to leapfrog some neglected security capabilities through smart adoption of cloud-native security functions. A healthy split between cloud and retained function is the current direction, as recently underpinned by AWS’s CEO Adam Selipsky.

Cloud security is an integral business support function but it’s also a driver of innovation so it’s important to get it right. While there is often a perception of complexity and vulnerability, many security requirements in the cloud are in truth the same as for on-premise setups – provided measures are properly implemented. Around 70% of cloud security incidents occur due to misconfiguration, rather than inherent security gaps and 71% of cyber security professionals are concerned about the issue. This is all the more reason to reduce complexity.

We believe that legacy ideas should be abandoned as the cloud evolves. Companies that adopt a continuous cycle of innovation may fail early, and fast, but they are also the first to benefit from the innovation the cloud brings. Adopting new concepts as technology matures is sometimes the most direct path to simplification – and agility. Another driver of agility is ownership of code – the key to consistent resiliency and independence. Securing relevant resources and expertise, either within the organization or by partnering with an external provider, is an important investment in a long-term smart cloud strategy.

When designing the cloud environment, security should be considered and incorporated everywhere to yield the strategic benefits over your cloud lifecycle – often referred to as a “shift left” in a development lifecycle. A smart cloud security mindset is one that embraces security with an appropriate degree of skepticism. An organization’s cloud team should start from the perspective of an assumed breach, applying a zero trust mindset. It’s also a chance to adopt cloud-native security principles, which support agility and speed, improve scalability and boost the security return on investment.  Automated security functions increase the rigor of the security of environment but must always be tested and verified thoroughly. Chaos engineering – where random and unpredictable events test the robustness of the system – can help identify residual weaknesses or unexpected gaps.