Zero trust strategy: Cloud security by design

Call for change

As we have seen in the last 18 months, cloud opens the door to organizational agility on an unprecedented scale. But security is essential to take advantage of cloud’s potential. Accenture, with our size, scale and complexity, has experienced first-hand the power of cloud security.

Six years ago, Accenture initiated the move into the cloud. While our recent research has identified that security and compliance risk is seen as one of top two pain points of cloud adoption, we were clear from the outset that cloud security would be a critical component to supporting our business needs.

Moving from on-premise infrastructure where we had complete control, to collaborating in the cloud with vendors and needing to rely on their technology and environment was a big shift. Infrastructure and new service capabilities in the cloud are different; we couldn’t simply translate what we had on-premise directly into the cloud.

We needed to reimagine the approach to implementing our security model to harness the capabilities of cloud native solutions. We evolved core security guiding principles to meet the requirements of operating in the cloud. We redefined our security rules to flex around the updated cloud-based infrastructure. When we look at our security approach we think beyond just infrastructure to an application, data and code level as well.

Today, Accenture IT infrastructure runs in the hybrid cloud and is costing significantly less than our legacy delivery models. Our strategy was to be secure from the start, reframing our security in terms of cloud capabilities, which has helped us to see how our cloud solutions can support every element of security needed within the business.

When tech meets human ingenuity

Early on in our cloud continuum journey, we recognized the need to evolve our security practices to accommodate our core security values for the cloud. We wanted to be powered by software-defined, securing our application and infrastructure code from the start. We infused analytics that were behavior-driven, using automated artificial intelligence (AI) behavioral analytics to identify anomalies faster and with more accuracy when working across our cloud platforms. It was important to us to be cloud agnostic, fit for a multi-cloud environment, so that the security framework and principles apply to any cloud vendor with auditability.

What’s more we embedded robust defense, relying on multiple layers of security at varying depths: cloud, network, access, data and endpoints. We centered our strategy on a zero-trust approach, protecting every aspect of the cloud security journey by treating everything as untrusted. With the focus on zero trust, we followed an identity-centric approach, basing all access on identity where every request is explicitly verified.

Five core functions contributed to a successful cloud security journey:

We shared responsibilities. As we increased our software as-a-service (SaaS) and platform as-a-service (PaaS) consumption in the cloud, we focused on and trusted in a shared responsibility model with our cloud vendors. By sharing the responsibility with our hyperscalers instead of owning the responsibility, we become inherently more secure. Our partnerships with Microsoft, Amazon and Google cloud services took advantage of their maturity in the market, their wide security certifications, and the fact that they value security as much as we do.

We sought out cloud-based solutions. Cloud providers are investing heavily in their innovation offerings and security. By using cloud native and cloud-based policies, controls, processes and technologies we were able to tap into an inherent agility and scale when it came to supporting our own cloud security.

We enabled compliance. Partnering with our providers, our cloud security strategy anchors to industry-recognized standards and continuously adapts to enterprise business needs. We adhere to industry defined policies, using alerts, following the zero-trust principle and managing security through code to maintain compliance. This ensures our services, users, workloads and data are secure on day zero and stay protected from the ever-changing threat landscape as well as auditable for third-party validation.

We increased visibility. We took a multi-layered approach, enhancing security through cloud vendors’ technology and advanced threat detection solutions. We gained visibility not only for our own actionable management, but also external auditability.

We baked in trust. We believe identity is the new firewall. Our identity-centric approach means we have adopted a zero-trust strategy in which we embed proper and continuous identity validation. Trust is now fundamentally going to be driven by identity and role.

A valuable difference

We have taken a comprehensive view across the various components of operating in the cloud to create a truly holistic cloud security strategy. As we implement this transformational approach to security across a multi-cloud infrastructure, we can continue to enforce highly effective security policies, resources and services.

Here are some of our lessons learned around effective cloud security:

• Design in terms of the cloud: A Cloud Continuum journey requires a very different operating model to any on-premise solution. Reimagine your security principles in terms of the cloud, to unlock the power of security in the cloud and transform your business.

• Make the cultural shift: Bridge the cultural gap to cloud native services from the top down. Education and training can help to change mindsets so that people understand the benefits of cloud and why your security posture is important.

• Promote partnership: Any Cloud Continuum journey involves not only handing over a certain amount of control to third parties, but also inheriting the sophistication of the cloud solutions. It’s important to build trusted relationships with your providers and to look at the ownership of security as shared.

Going forward, to secure and manage access controls across a multi-cloud environment, we have our sights set on cross-platform alignment so that all identities align across all platforms and vendors. Using data as the key driver, our cloud security will continue to be comprehensive as our cloud capabilities grow across platforms.

And we want to discover new solutions and augment our security with AI for threat detection and machine learning to remediate our code to prevent potential vulnerabilities. This combined with our Prevent, Protect, Detect, and Recover strategy can strengthen our zero-trust imperative.