Everyone's jumping headlong into cloud, from the smallest pizza shop to the biggest financial institutions in the world.
Why? Because the cloud is scalable, because it's agile, because it's the new mantra. Yet, we worry a lot about it. CIOs and other C-level executives worry about cloud, as do compliance managers and many others.
We asked a group of CIOs about cyber resilience in the cloud. A little over one-third said that they believe their organizations are not prepared or protected enough by their cyber security program. The others were quite clear that it’s not enough to appear strong and competent if they're not prepared to deal with a security breach.
Without exception, everyone we surveyed believed that there is no choice but to embrace new technology as it comes along. Therefore, we must accept and adapt to the world of the cloud. A compelling majority of CISOs (Chief Information Security Officers) believe cybersecurity and cyberattacks are still a “black box.” Organizations don't know enough about how to react in a timely way, and how to protect their business.
Cloud adoption is happening at a break-neck pace, and there's been a lot of talk about organizational risk frameworks.
But moving to cloud does not come with any new, uncharted risks. If you think about it carefully, it's not particularly different from the traditional risk model. It's a matter of having the ability to articulate it correctly and to comprehensively chart your course to the cloud, because no organization ever “lifts-and-shifts” its entire IT bucket into the cloud in one go. The difficulty comes in measuring and administering the right risk formulae as the base of cloud option changes over time.
What basics must we consider to navigate a safe journey to cloud?
Governance risk and compliance is a top consideration, because most businesses are multi-geographic, multi-regulated and multi-industry.
For example, capital markets or derivative trading businesses may have as many as five different regulators. As we move from an on-premise IT culture with a fixed asset tag on every piece of equipment to an environment where you're not able to put your finger on where your assets are sitting, the regulatory framework is not quite as flexible as we want it to be. Therefore, we need to change the way we submit to the regulator, so we pass those tests.
Another risk consideration: foundation security, for which we have a very sharp and clear definition. Your foundation security must be safe enough to take to the cloud as is.
Application security is a different ballgame altogether. We support over 100,000 distinct applications in maintenance mode, ranging from one-week to 30 years old. The underlying technology, the principles of data storage and governance and the simple design philosophy regarding how it is written are very different.
Cloud-native applications are bringing about a whole new school in application design. These applications are written with the understanding that they're not sitting on static IP. They're not sitting on a rack nailed down to the floor in your office or data center, and they're not the type that will remain stable for six months at a time. Security considerations for these applications are entirely different. And they will continue to evolve and be challenging.
Digital identity also needs careful consideration. As you port applications, data services and business services on the cloud, you also have to worry about how you administer identity and access, how you run and change privileges on the fly, and how you protect parts of application ecosystem from other parts and farm out the ability to configure and furnish services on the fly—all without having to intervene in each case with an administrator's password or privileges.
Data privacy as you can imagine will also form a cornerstone of the cloud security policy when you write it.
Last but not least is preparing for and recovering from any cyberattacks, or what I call cyber defense. Keeping your organization's cloud-hosted services safe, keeping your customer’s journey safe and being able to recover with minimal disruption when an attack does occur is essential.
Again, cyberattacks are a question of when, not if, because, sadly, I doubt any modern business will go any length of time without at least an attempt at being hacked.
Keep all of these considerations top of mind, and you will be as prepared as possible when a cyberattack happens.