How can management secure the future in a cloud native environment?

Cloud computing is becoming the norm. With the right actions, executive management can navigate around the cyber implications of cloud.

For years, cloud adoption has steadily worked itself into the everyday vocabulary of systems architects, platform engineers, and executive management alike. Countless organizations now deliver parts of their computation needs in the cloud, with emerging cloud-native applications, cloud delivered service models and products. In fact, Gartner predicts that public cloud deployments will deliver greater workloads than data centers by the end of 2022.

From the business perspective, cloud computation commercializes the traditionally costly on-premises datacenter, freeing up valuable working capital to be reprioritized elsewhere. Likewise, the proliferation of cloud technology has greatly lowered the barrier of entry for small-and-medium enterprises (SMEs) to deliver digital services and products across time and space by allowing for a commercialization of delivery and operations of a complex technology stack. National Institute of Standards and Technology (NIST) SP 500-322 names five key properties for cloud, namely on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Hence numerous firms have emerged in novel fields such as financial technology, virtual banking, and media consumption, each offering new value propositions for a customer base rapidly developed with a cloud service model. Likewise, a cloud service architecture also has clear inherent advantages for business continuity planning, operational resiliency, and compliance. 

From executive management, cloud adoption and security are observed to be among the fastest growing segment for information security, in parts thanks to the recent mass adoption of new working models, e-commerce growth, and the proliferation of digital services. From a systems development perspective, cloud migration profoundly changes the way applications are built, deployed, and maintained. These support the main market drivers for cloud adoption, namely competitive advantage, flexibility, resilience, and transformation. 

Navigating the risks in a path toward the cloud service model 

So far, a cloud service model can be seen as the silver bullet for all of the computational needs of an existing enterprise. However, for non-cloud native organizations, it does have heavy implications, due to the cloud adoption involving deep changes in areas such as technology stack, organizational process, and operating models.

According to Eurostat, 72% of large European enterprises use cloud computing in 2021, an increase from 65% in 2020, while 41% of enterprises at all sizes use cloud computing services. Likewise, the usage for cloud for e-mail and file storage is prevalent at 79% organizations in 2021, while 61% used it for office software, 61% leveraging cloud for financial or accounting software applications, and 58% utilizing it for security software applications. Moreover, the sophistication of cloud computing services used is observed as high, with 73% of all enterprises leveraging sophisticated cloud computing services.

Evidently, while offering promising value propositions, cloud adoption does come with cybersecurity risks that executive management and security practitioners must be keenly aware about. From our experience working with cloud, then there are some risks and challenges that must be addressed by executive management in close conjunction, security practitioners, and the cloud vendor.  

• Data leakage, primarily via misconfiguration issue and identity & access management issues.  
• Delays in the cloud journey – due to dependencies, unpredictability, legacy systems etc. This may disrupt the original business case. 
• Risk management approach not following the new cloud environment.
• Non-compliance with legal and regulatory duties due to insufficient transparency on data holding aspects. 
• Insufficient business continuity planning to address event of cloud provider failure, acquisition with negative impact, or change in cloud provider service strategy.  
• Lack of a clear target architecture, addressing aspects such as directory services, authentication, encryption, monitoring, containers, etc. in a cloud context. 
• Lack of data management ownership caused by a missing governance structure, leading to insufficient protection of data.
• Lost data portability and interoperability

Nonetheless, organizations facing such challenges for a secure cloud migration and service architecture might need to employ efforts to achieve a secure migration, operation, and usage of cloud resources. In our experience, these are some considerations that executive management, security practitioners, legal counsel, business owners, and systems architects alike can be aware about. 

• Risk management – with supporting frameworks, methodologies, and functionalities to manage cloud-related risks holistically. 
• Vendor and contract management – implementing practices and capabilities to drive key cloud service metrics and manage cloud contracting. 
• Organizational management - employing repeatable and standardized processes for cloud organizational management
• Data security – managing and maintaining the confidentiality, availability, integrity of information resources residing in the cloud. 
• Operations – changes in processes to reflect cloud-centric nuances and requirements across the organization, including topics such as shadow IT. 
• Compliance – with the appropriate legal and regulatory requirements by implementing security controls.  

Governing and managing cloud risks

For many organizations embarking on a cloud transformation, they can adopt efforts in the long-term strategy, medium- organizational adaptation, and operational optimization. This will aid in the transition towards the future cloud service model.  

From a strategic perspective, executive management can focus on upskilling skillsets and competencies. Security practitioners and risk management is to gain fluency to identify the risks within the enterprise cloud strategy. Likewise, risk management frameworks are to be reworked according to the identified risks and regulatory implications, where a control expectation is to holistically counter the risk to an acceptable level.

From the perspective of organizational adoption, security practitioners, executive management, and business owners can derive an enhanced risk governance model tailored for cloud. The model is to drive alignment and integration of embedded risk functions to address the risks with a cloud service model. Likewise, the foundations of repeatable patterns can be laid by establishing risk-informed design and configuration patterns for cloud services and technology architectures, this will drive consistency and streamline governance and control activities. 

Finally, from the perspective of operation, the organization can leverage automated cloud risk monitoring, cloud-native security services, and secure-DevOps to automate continuous risk and control monitoring. Likewise, many cloud providers might also leverage data-driven predictive capabilities to allow for a proactive forecasting and risk mitigation. 

Conclusions, managerial implications, and key takeaways 

Cloud service architecture is a trend that is going to continue. There are myriads of reasons for cloud migration e.g., enabling greater business agility, scalability, or service quality. 

A cloud migration can be a daunting task, thus executive management is to be aware of the reasons for why a cloud service model benefits the organization. Likewise, one is also be aware of the typical risks of a cloud service model. 

From a cybersecurity perspective, one needs to be aware of risks including the intended target cloud architecture, interoperability, and data management ownership. Some risks can be countered quickly by supporting cloud-based risk management frameworks, developing repeatable standardized processes for cloud organizational management, and driving cloud service metrics. 

Just like with many other business decisions, the cost-benefit decision will ultimately befall the executive management. If the decision is to adopt a cloud service model, then much ground in cybersecurity can be covered by upskilling risk practitioners on cloud technologies, terminologies, and intricacies. Likewise, a risk framework for cloud can be developed based on the identified risks and regulatory implications of the cloud strategy. 

Moreover, a cloud-based risk governance framework can drive alignment and risk functions to be embedded into the organization, with repeatable patterns being established and documented to drive operational consistency. 

Contact: Jonathan Kwok, tel. +45 2529 4287.