During the COVID-19 pandemic, many enterprises faced immense operational resilience challenges. As such, the pandemic accelerated the shift to the cloud. This sudden shift to an online, no-contact economy prompted what Microsoft CEO Satya Nadella said was "two years' worth of digital transformation in two months."
Cloud platforms helped companies deploy new digital customer experiences in days rather than months, supporting analytics, agility and scalability that would be uneconomical or impossible with legacy platforms.
Yet, at the same time, numerous opportunities were presented to cybercriminals who exploited the new operating environment and preyed on a remote and vulnerable workforce. Data residing on premises and in the cloud quickly became a natural target for bad actors. The seemingly overnight shift of enterprise data to the cloud increased the number of possible failure points in security systems. In fact, McAfee reported a 630% increase in attack attempts from external threat actors on its customer's cloud accounts in early 2020.
This reality has driven enterprises to build an effective cloud security architecture and strategy -- but the path to achieving this has not been an easy one.
Top 3 cloud security challenges
While organizational inertia to move to the cloud might have been overcome due to the pandemic, the shift itself is not without three major complexities:
Challenge No. 1: Confusion around the shared responsibility model hasn't helped the situation.
Public cloud providers take responsibility for their clouds' security, but they don't take responsibility for their clients' applications, servers and data security. Companies must encrypt and secure their own data. Yet, many enterprises leave data unencrypted on the cloud or do not implement available encryption tools and management services. Additionally, companies need to invest in a variety of tools, including antimalware, antivirus and secure web gateways, from cloud service providers to protect their data.
Begin by identifying organizational requirements and completing security risk assessments. Next, implement safeguards to ensure infrastructure can self-sustain during an attack. The framework will have to use detection systems to monitor networks and identify security-related events, which will then launch countermeasures to combat potential or active threats. Finally, the framework will need inbuilt recovery capabilities to restore system capabilities and network services in the event of a disruption.
Challenge No. 3: CISOs have to prepare for the worst and hope for the best.
Focus remediation efforts and align security policies across the digital landscape by embedding security in the enterprise architecture. When migrating workloads to the cloud, the security architecture will clearly define how an organization should identify users and manage their access, and protect applications and data, with appropriate security controls across networks, data and applications. It also helps provide visibility into security, compliance and threat posture while injecting security-based principles into the development and operation of cloud-based services.
Cybersecurity regulations are evolving rapidly with the threat landscape, so architectures should design strict security policies and governances to meet compliance standards. CISOs also have the challenge of designing systems that cater to authentication and authorization needs of both on-premises and cloud workloads, which have different protocols. Finally, the IT team should build a centralized dashboard and reporting for security metrics before cloud operations begin.
Embed security into every phase, starting with design
Security concerns within the cloud landscape are complex due to rapid development. This complexity requires a paradigm shift to protect applications. It can be achieved by migrating from a perimeter-based approach to one where security moves closer to dynamic workloads that are identified based on attributes and metadata. This approach identifies and secures workloads to meet the scale needs of cloud-native applications while accommodating constant flux.
The cloud paradigm requires enterprises to upgrade their legacy technologies and increase automation in the application security lifecycle and secure-by-design architectures. Cloud-native security can be modeled in distinct phases that constitute the application lifecycle -- development, distribution, deployment and operation. This ensures security is embedded throughout these phases instead of separately managed. In addition to cloud-native security controls, add-on components such as security groups and network access control lists for firewalls and distributed denial-of-service attack mitigation must be implemented. AI will also become a core component of all cybersecurity systems to address vulnerabilities and detect security issues.
Cloud security services should safeguard physical infrastructure, applications, data, networks and endpoint devices with a proven technology reference architecture for quality assurance and risk management. Adapting existing authentication methods to enable consistent access control for cloud and on-premises network resources is the route toward greater security. Use real-time security monitoring and reporting to address cloud-specific, industry and compliance standards.
Cloud architects and systems designers must incorporate network security appliances at the design stage for unified control of distributed IT resources. Security protocols should combine multifactor authentication protocols and role-based access control systems. Cloud security itself remains an interdisciplinary field that cannot be isolated from the development lifecycle or treated as a purely technical domain. In the same vein, cybersecurity is not just an IT problem, it is a business problem. For it to be ultimately effective, organizations must focus on people, process and technology to make necessary changes and ensure security is practiced and embedded as part of the company's DNA.
About the author
Anant R. Adya is the senior vice president of cloud, infrastructure and security (CIS) services at Infosys. Adya is responsible for growth of the CIS service line in the Americas and Asia-Pacific regions for Infosys. In his 25 years of professional experience, he has worked closely with many global clients to help define and build their cloud and infrastructure strategies and run end-to-end IT operations. He currently works with customers and the industry sales and engagement teams on the digital transformation journey. He defines digital transformation as helping customers determine the location of workloads, using new-age development tools for cloud apps, enabling DevOps and, most importantly, keeping the environment secure and enhancing customer experience.