As we have seen in the last 18 months, cloud opens the door to organizational agility on an unprecedented scale. But security is essential to take advantage of cloud’s potential. Accenture, with our size, scale and complexity, has experienced first-hand the power of cloud security.

Six years ago, Accenture initiated the move into the cloud. While our recent research has identified that security and compliance risk is seen as one of top two pain points of cloud adoption, we were clear from the outset that cloud security would be a critical component to supporting our business needs.

Moving from on-premise infrastructure where we had complete control, to collaborating in the cloud with vendors and needing to rely on their technology and environment was a big shift. Infrastructure and new service capabilities in the cloud are different; we couldn’t simply translate what we had on-premise directly into the cloud.

We needed to reimagine the approach to implementing our security model to harness the capabilities of cloud native solutions. We evolved core security guiding principles to meet the requirements of operating in the cloud. We redefined our security rules to flex around the updated cloud-based infrastructure. When we look at our security approach we think beyond just infrastructure to an application, data and code level as well.

Today, Accenture IT infrastructure runs in the hybrid cloud and is costing significantly less than our legacy delivery models. Our strategy was to be secure from the start, reframing our security in terms of cloud capabilities, which has helped us to see how our cloud solutions can support every element of security needed within the business.

Early on in our cloud continuum journey, we recognized the need to evolve our security practices to accommodate our core security values for the cloud. We wanted to be powered by software-defined, securing our application and infrastructure code from the start. We infused analytics that were behavior-driven, using automated artificial intelligence (AI) behavioral analytics to identify anomalies faster and with more accuracy when working across our cloud platforms. It was important to us to be cloud agnostic, fit for a multi-cloud environment, so that the security framework and principles apply to any cloud vendor with auditability.

What’s more we embedded robust defense, relying on multiple layers of security at varying depths: cloud, network, access, data and endpoints. We centered our strategy on a zero-trust approach, protecting every aspect of the cloud security journey by treating everything as untrusted. With the focus on zero trust, we followed an identity-centric approach, basing all access on identity where every request is explicitly verified.

Five core functions contributed to a successful cloud security journey:

We shared responsibilities. As we increased our software as-a-service (SaaS) and platform as-a-service (PaaS) consumption in the cloud, we focused on and trusted in a shared responsibility model with our cloud vendors. By sharing the responsibility with our hyperscalers instead of owning the responsibility, we become inherently more secure. Our partnerships with Microsoft, Amazon and Google cloud services took advantage of their maturity in the market, their wide security certifications, and the fact that they value security as much as we do.

We sought out cloud-based solutions. Cloud providers are investing heavily in their innovation offerings and security. By using cloud native and cloud-based policies, controls, processes and technologies we were able to tap into an inherent agility and scale when it came to supporting our own cloud security.

We enabled compliance. Partnering with our providers, our cloud security strategy anchors to industry-recognized standards and continuously adapts to enterprise business needs. We adhere to industry defined policies, using alerts, following the zero-trust principle and managing security through code to maintain compliance. This ensures our services, users, workloads and data are secure on day zero and stay protected from the ever-changing threat landscape as well as auditable for third-party validation.

We increased visibility. We took a multi-layered approach, enhancing security through cloud vendors’ technology and advanced threat detection solutions. We gained visibility not only for our own actionable management, but also external auditability.

We baked in trust. We believe identity is the new firewall. Our identity-centric approach means we have adopted a zero-trust strategy in which we embed proper and continuous identity validation. Trust is now fundamentally going to be driven by identity and role.