5 minute read 17 Sep 2021
Close up of bridge structure

How to balance security and agility in the cloud

By Steve George

EY Global Chief Information Officer

Business-oriented technology leader. Embedding progressive technologies across global teams in hybrid work models. Travel and college football enthusiast. On the Florida coast with his wife and dog.

5 minute read 17 Sep 2021
Related topics Cybersecurity GISS

In the rush toward cloud-enabled agility, organizations can’t afford security mistakes that could undercut digital innovation efforts.

In brief

  • As increased adoption of cloud applications makes organizations more agile, cybersecurity needs to be embedded in the origin of software and process design.
  • Trusted security components can be reused across cloud-based projects for faster development times.

IT and security leaders need to adapt traditional security postures to support, and secure, the new world of hybrid and multi-cloud environments. The goal: balance the drive for agility with a secure and resilient architecture.

As public and hybrid cloud environments gain traction, it’s become easier for business stakeholders to deploy applications and workloads in the cloud without IT assistance. While the paradigm shift enables a faster response to changing business needs, it also increases the likelihood that critical data and corporate IP is exposed beyond the secure perimeter of the traditional enterprise.

At the same time, the cybersecurity threat landscape has intensified. The Verizon Business 2021 Data Breach Investigations Report (DBIR) noted unprecedented security challenges over the past year, exacerbated by the global pandemic. The report cited increases in phishing and ransomware attacks and a significant rise in web application attacks — comprising 39% of all breaches this year — which underscores companies’ vulnerability when transitioning to a cloud-dominant environment.

Against this backdrop, it’s no wonder that managing security is the No. 1 focus of CIOs surveyed in IDG’s 2021 State of the CIO study, ahead of other core IT activities such as implementing new systems and architecture, improving IT operations and aligning IT initiatives with business goals. More than half (57%) said the current socioeconomic pressures had caused them to increase cybersecurity protections.

Managing security is a top priority


of CIOs said the current socioeconomic pressures had caused them to increase cybersecurity protections

Middleware provides services that don’t reside in the operating system. The term goes back to the late 1960s and was long the domain of highly technical disciplines like interapplication messaging and service-oriented architecture. But the cloud has put middleware at the center of how software is built, thanks to the rise of microservices, which are loosely coupled software functions. Modern cloud applications aren’t monolithic, but consist of components assembled like Lego blocks. An example of a service might be a “buy” button on an order page, a search widget or a package tracking app.

Sophisticated applications, such as ride-sharing, employ thousands of microservices that are exposed via the APIs that have become ubiquitous in the cloud. Programmable Web lists more than 24,000 public APIs, ranging from shopping cart orchestration to information about movies, and there are also millions of APIs that address industry- or function-specific use cases.

Building software on a services foundation provides many advantages. Perhaps the biggest is flexibility. A services approach enables developers to incorporate new functionality, such as voice recognition or chat bots, into their software without extensive building and testing, which allows for continuous development and deployment of new features.

It’s easier to change a services-based application because only individual services need to be modified rather than the entire code base. The result is a modular, more agile approach to software development that accommodates change without wholesale restructuring. We can design and implement at a speed we couldn’t before.

Service orientation is changing some industries fundamentally. Organizations that compete in a market may also cooperate by exchanging services with each other, either charging a fee or receiving other services in kind. In the past, organizations were reluctant to interoperate with one another. Now those services are exposed, and that drives innovation.

To best serve customers, software is required that can stitch the systems of far flung ecosystem partners together to achieve a common goal. That is the function of middleware – it is the glue that connects applications to each other within the enterprise’s four walls, and externally with cloud and software-as-a-service applications from third-party vendors. Middleware also enables businesses to modernize applications by adding abstraction layers that expose functionality as services or adds them to the legacy platform. That’s giving new life to old software.

A key issue is that old-school information security checklists and sit-down security reviews don’t work in an era of agile development. That approach worked with waterfall development when there was six to nine months to deliver a program. But now, with the advent of agile development and cloud, two weeks can be the whole project. You have to step back and think about security in a new way.

Leading practices for balancing business agility and security

As organizations reexamine their security postures, there are a number of leading practices that can help balance agility and security in the cloud. Here are four to consider:

1. Employ a “shift left” approach to security.

Perhaps the most important tenet for safeguarding hybrid and multi-cloud infrastructure is the embrace of security by design practices for software development. Instead of building an application and then looping in security operations to think about how to protect it, this new approach integrates security considerations at the onset — all the way back to the requirements stage, to determine the impact of security controls on employees or customers who will be using the app.

Simply stated, it’s shifting security to the left, into the development organization where it traditionally hasn’t been.

Organizations are lagging in that shift. From the EY 2020 Global Information Security Study, just 36% of respondents said the cybersecurity team is involved in the planning stage of a new business initiative. Moreover, the study found that 77% of cybersecurity spending is defensive in nature, focused on risk or compliance rather than opportunity.

“This isn’t about checklists to see if you did it after you’re done,” says Steve George, EY Global CIO. “It’s about designing security into the build.”

This isn’t about checklists to see if you did it after you’re done. It’s about designing security into the build.
Steve George
EY Global CIO

2. Leverage reusable, trusted components.

The cloud model is built around the concept of components, rather than monolithic applications, which can be reused to speed development and deployment of new services. From a security perspective, application components should be established as secure and made easily available to the development team. From an architectural perspective, it’s the concept of reusability and the application of policy as code, similar to a mainframe environment.

In that way, trusted components can be reused and mixed and matched to speed development and ensure security is integrated from the earliest stages. A formal component reuse strategy will nurture trust in systems, designs and data, enabling organizations to move beyond a reactive security posture to a proactive approach that reduces risks.

It’s all about making sure reusable components work in your cloud environment, and if you can’t, then you need to sit down with the security architects and think about what’s going to be different with this application.

3. Find trusted cloud partners.

Security is a shared responsibility between cloud providers and their customers, with providers securing the cloud infrastructure and customers responsible for securing their data and workloads running in the cloud. The major cloud hyperscalers offer subtle but important differences in their approach to shared responsibility policies. Make sure provider policies align with the specific workloads you’re looking to migrate to the cloud to best match your needs and tolerance for sophistication and configuration.

It’s also critical to think beyond initial set-up to ongoing security maintenance. Security postures today have to be able to react to a world of dynamic change. There has to be an affinity between the environment you select and your development team, such that they can meet the organization’s mission and goals.

Strong partnerships will also give organizations access to the advanced capabilities cloud providers have deployed to be more proactive about security. Artificial intelligence and machine learning are emerging as critical tools for cybersecurity for advanced threat monitoring, detection and response. Cloud providers have integrated these technologies to rapidly process high volumes of data to identify threats and automate responses to alert and, in some cases, mitigate threats.

Automation and monitoring have become absolutely critical as workloads are spread across different tech stacks. You need systems that not only help you watch for issues, but also automatically take steps to resolve them.

4. Continue to raise the security profile.

Given an ongoing spate of high-profile data breaches and ransomware attacks, cybersecurity has become a pressing boardroom issue and a top priority for the C-suite. Yet the EY 2020 Global Board Risk Survey found that only 20% of boards are extremely confident current mitigation measures offer adequate protection from modern-day attacks. It’s up to the CIO and CISO to work collaboratively with C-suite colleagues and the board to communicate cyber risks and strategies in a language the business understands.


A proactive approach to security, supported by alignment across all parts of the business, can give business and IT leaders confidence that they can continue to capitalize on the promises of cloud-driven transformation without increasing risk.

About this article

By Steve George

EY Global Chief Information Officer

Business-oriented technology leader. Embedding progressive technologies across global teams in hybrid work models. Travel and college football enthusiast. On the Florida coast with his wife and dog.

Related topics Cybersecurity GISS

Contact us

Like what you’ve seen? Get in touch to learn more.

Contact us