In a multi-cloud environment, cybersecurity can never be an afterthought

Exactly a year ago, a huge data breach shook Capital One’s Board to its core. It affected one out of every three citizens in the United States and the company was fined $80 million.

Despite being the tenth on the list of largest banks in the United States by assets and spending upwards of a billion dollars on its information technology (IT), the data breach not only resulted in a loss of reputation but also significantly impacted its business. 

As the cloud becomes the new normal, it brings along multiple security challenges as well, especially if you adopt a multi-cloud environment.

Challenges in a multi-cloud environment:

According to the Sophos' State of Cloud Security 2020 study, 96% of organisations are worried about the current state of their public cloud security, with 70% admitting they experienced a breach over the past year including 93% in India!

Before an organisation goes in for a multi-cloud strategy, they must consider how they will be managing a few of the challenges.

1. Most cloud security tools lack an overlapping approach to cybersecurity. For instance, they work well for native services but are not yet designed to secure a non-native or a competitor’s service. This is slowly changing as it is necessary to provide enterprises with an opportunity to invest in secure and overlapping cloud environments.
2. Increased complexity and layering makes it a challenge to choose monitoring tools.  Gartner’s Evaluation Criteria for Cloud Management Platforms and Tools identifies 215 different criteria that IT decision-makers need to consider when selecting multi-cloud monitoring tools. This is a huge task, especially for a security team. With so many other cybersecurity products analysing different aspects of the business, the security team of most enterprises are overburdened already.
3. Another major missing piece of the jigsaw is the lack of an objective metric. This creates a definite lack of clarity when it comes to the change in cyber risk posture of any organisation and its business context, before and after adopting more cloud-based services.

Rather than making cloud environments’ security an afterthought, make it secure by design:

The challenges listed above are just the tip of an iceberg. The problem begins with the fact that cybersecurity is an afterthought; a reactive approach where businesses ‘defend when it happens’. The digital presence of any business has to be secure by design. Gartner recently updated their evaluation of cloud security and concluded that through 2025, 99% of cloud security failures will be the customer’s fault. Most organisations are shifting to a cloud-based environment and using its ease of customisation without considering a simple reality -  the financial, reputational and regulatory consequences of a cyber attack.

Cybersecurity needs to be a part of any digital business model right since its ideation and not after a breach has occurred. This ‘reactive’ approach sets back businesses, financially and otherwise, far more than what investing in the right cyber defense strategy might.

Cloud environments need to have inherent security at each individual level. Using Customer Encryption Keys, stringent access restrictions and two-factor authentication for each instance are simple yet highly effective methods to make a multi-cloud environment ‘secure by design’.

Cyber Risk Quantification can help organisations:

I have always said that cybersecurity has a simple fundamental rule -- organisations need to reduce their breach likelihood. This might seem like a simple thing to do but is one of the biggest challenges while migrating from an on-premises network to an on-cloud network. Multiply the challenge as the number of cloud platforms increase. The State of Cloud Security 2020 survey, by Sophos, interestingly revealed that while multi-cloud cybersecurity strategies are growing popular, 73% of its users reported up to twice as many security incidents than those running a single cloud.

Imagine a large enterprise with over a hundred individual accounts spanning across numerous different services, each running hundreds of instances without clear visibility into threat assessment in real-time. To accurately assess multi-cloud cyber risk posture, the organisation’s cyber defence strategy has to be analysed continuously and with a clear metric of measurement. Risk quantification can be the unifying factor between different cloud servers, people, processes and technology, both internal and external. It can quantify and thereby put into context the organisation’s breach likelihood and the risk posture of its multi-cloud environment; allowing the Board to make contextualised and data-driven business decisions. 

Not just organisations, cloud service providers too can evaluate the measure of their security rendered as a service to enterprises, making it more objective.

John Doerr said, “measure what matters” and I agree. One cannot possibly mitigate or improve what isn’t measured. As of now, cyber-attacks are one of the top concerns for CEOs across the globe, according to the World Economic Forum.  This can change if organisations make proactive alterations to their cyber risk strategy and adopt a more predictive, real-time and unified risk quantification model. As companies coalesce into each other after acquisitions, mergers and partnerships, a secure multi-cloud existence is imperative and inevitable.

Saket Bajoria

---

Saket Bajoria is vice president, product management and customer success, Americas at Lucideus. The views in this article are his own.