5 minute read 6 Dec 2021
Rear view of professional young businesswoman standing against contncial skyscrapers in downtown financemporary

How could shifting left fast forward your cloud security strategy?

By Carlo Gebhardt

EMEIA Cloud Security Lead | Switzerland

Passionate about security and everything related to cyber. Firm believer in life-long learning. Avid pilot.

5 minute read 6 Dec 2021

As the cloud moves from mainstream to mainstay, organizations need to get smart on their cloud strategy now.

In brief
  • Digitalization and shifts toward “work anywhere” have accelerated adoption of the cloud
  • To navigate complexity, organizations should embrace a smart cloud mindset
  • Partnering with external experts can help the cloud team plug gaps in skills or knowledge and get the most from their cloud strategy

As we emerge from the global pandemic, ongoing digital transformation and work anywhere policies are accelerating cloud adoption. At the same time,  cyber security continues to be a major cause of concern. Given that a “no cloud” strategy in five years will feel like a “no internet” strategy today, it’s vital not to leave trust to chance. Organizations should start now to implement smart cloud strategies that enable their business and address security concerns. In doing so, they should focus on three key steps:

  1. Embrace cloud-native technology and principles to enable ubiquitous security
  2. Shift left to consider security at every stage of the cloud lifecycle
  3. Establish a culture of excellence with key internal talent and strong external partners 



of organizations list security as their main concern when adopting cloud

When it comes to infrastructure, the public cloud is set to be inherently more secure due to large investments by the cloud providers. However, companies still need to render adequate controls, particularly over data that is processed in the cloud. In a study by AMS, 95% of organizations admitted to be being concerned about cloud security, with 29% extremely concerned and a further 42% very concerned. Specifically, 67% were concerned about data leakage, 61% about data privacy and 49% about accidental disclosure of credentials. The truth is that many cloud security concepts simply don’t address these concerns adequately. Companies should start with clear roadmap that covers the cloud provider’s as well as their own responsibilities. But they need to keep in mind: the shared responsibility model embraced by most cloud providers shouldn’t be confused with a security safety net. While certain security functions such as patch or vulnerability management can be delegated to the cloud provider, risks cannot be transferred to the provider. 

A 'no cloud' strategy in five years will feel like a “no internet” strategy today.
Dr. Carlo Gebhardt
EMEIA Cloud Security Lead | Switzerland

We believe that strong cloud security governance is needed, so that organizations can provide much-needed visibility and execute the right level of controls for their business. As the regulatory landscape catches up with technological advances, legislation is likely to mandate stronger cloud security governance for all companies, not just those operating in sectors already required or recommended to adhere to stringent security standards.  Whether required by law or not, many companies are keen to future-proof their cloud environment. However, many experience challenges along the way.

Although the cloud is well established, there is still often hype around applications and solutions. Significant interest from the capital markets drives this to some extent. At the same time, periods of hype have in the past given way to incremental security improvements – a positive development for all stakeholders. Providers have raced to create comprehensive cloud hosting and security packages. While this may seem convenient at first, reliance on such models can restrict freedom of choice when it comes to integrating competitive security solutions.

At present, highly fragmented technology across the cloud solution space can make it difficult to know where to head with your cloud strategy. Business leaders can feel overwhelmed by choice, especially as there is often considerable overlap between providers and solutions. And technology moves fast. Depending on where an organization stands on the cloud transformation journey, point solutions can be a short-term fix, but will often add to the complexity of the cloud environment and drive silos – the very opposite of the cloud intention.

Partnering with a knowledgeable external partner can help. At EY, we aim to take the burden of compliance and risk out of the client’s cloud journey. From design, build and operation. With that we strive to be the nr 1 cloud security services provider for regulated industry within the next couple of years.

Whether you’re an early or late adopter, now’s time to get cloud smart. This means adopting the cloud where it makes sense from a business, regulatory and compliance perspective. It also means retaining whatever function is necessary; and being bold enough to leapfrog some neglected security capabilities through smart adoption of cloud-native security functions. A healthy split between cloud and retained function is the current direction, as recently underpinned by AWS’s CEO Adam Selipsky.

Biggest threat


see misconfiguration as their top security concern

Cloud security is an integral business support function but it’s also a driver of innovation so it’s important to get it right. While there is often a perception of complexity and vulnerability, many security requirements in the cloud are in truth the same as for on-premise setups – provided measures are properly implemented. Around 70% of cloud security incidents occur due to misconfiguration, rather than inherent security gaps and 71% of cyber security professionals are concerned about the issue. This is all the more reason to reduce complexity.

We believe that legacy ideas should be abandoned as the cloud evolves. Companies that adopt a continuous cycle of innovation may fail early, and fast, but they are also the first to benefit from the innovation the cloud brings. Adopting new concepts as technology matures is sometimes the most direct path to simplification – and agility. Another driver of agility is ownership of code – the key to consistent resiliency and independence. Securing relevant resources and expertise, either within the organization or by partnering with an external provider, is an important investment in a long-term smart cloud strategy.

When designing the cloud environment, security should be considered and incorporated everywhere to yield the strategic benefits over your cloud lifecycle – often referred to as a “shift left” in a development lifecycle. A smart cloud security mindset is one that embraces security with an appropriate degree of skepticism. An organization’s cloud team should start from the perspective of an assumed breach, applying a zero trust mindset. It’s also a chance to adopt cloud-native security principles, which support agility and speed, improve scalability and boost the security return on investment.  Automated security functions increase the rigor of the security of environment but must always be tested and verified thoroughly. Chaos engineering – where random and unpredictable events test the robustness of the system – can help identify residual weaknesses or unexpected gaps.

Being cloud smart enables organization to leapfrog security capabilities while at the same time minimizing outsourcing risks.
Dr. Carlo Gebhardt
EMEIA Cloud Security Lead | Switzerland

In terms of culture, it’s important to establish strong cloud security governance, equipped with purpose and mission. A smart cloud strategy relies on key security talent – and integration of that expertise into a unified cloud team across functions within the organization. To retain ownership over the cloud strategy, organizations should seek to nurture that in-house talent while building relationships with strong external partners. This also helps to foster continuous innovation and ensure accountability for technical changes needed over time.

Another core capability of the internal cloud organization is oversight. But you cannot control what you cannot measure. For this reason, companies should work to establish visibility around the cloud security posture and compliance footprint. The insights gained serve to inform both urgent need for action and long-term improvements. Centralizing cloud security services translates into reduced attack surfaces, improved depth of defense as well as economy of scale. We believe that an independent technology strategy supports the greatest level of agility and resilience. At the same time, investing in provider-specific but strategically independent security capabilities can make sense for organizations seeking to support multi-cloud capabilities.

Responsibility for the cloud should not be an isolated “function” within an organization. Core cloud teams should foster regular exchange on concepts, ideas and status to break down silos, while inclusive sprint meetings can accelerate progress at critical points in the cloud development process. And a process it is: a smart cloud approach is never “done”. As new threats and opportunities emerge, cloud teams need to respond and evolve.


A “no cloud” strategy in five years will feel like a “no internet” strategy today. Yet many organizations feel overwhelmed by the complexity and pace of change. EY believes a smart cloud strategy should focus on embracing cloud-native technology, shifting left to consider security at every stage of the cloud lifecycle and establishing a culture of excellence.  

About this article

By Carlo Gebhardt

EMEIA Cloud Security Lead | Switzerland

Passionate about security and everything related to cyber. Firm believer in life-long learning. Avid pilot.