Data security and multi cloud continue to generate much debate and opinion. Common perceptions such as ‘greater risk is inevitable’ and ‘GDPR is all challenge and no opportunity’ can be contested. We recently brought together several CIOs to discuss security, including the impact of GDPR on multi cloud strategies. Here are 6 perspectives from the event, challenging myths with business realities.
Greater risk when moving to multi cloud is not inevitable
According to the most recent RightScale State of the Cloud Report, 81% of enterprises have a multi-cloud strategy, but 77% view security as a challenge and key concern.
The CIOs at our event agreed that creating security in multi cloud isn’t about ‘lifting and shifting’ existing security frameworks, processes and skills. These won’t necessarily transfer to cloud, particularly in the case of IT teams wedded to your existing framework.
One delegate expressed, “It’s no longer a question of ’Is the cloud secure?’, it’s now ’How can I be secure in the cloud?” with another adding, “If you build multi cloud one way, like a service, you’ll be able to secure it, but if you treat it like data centres trying to connect together, you’ll find it more difficult.”
Many agreed that higher risk as an inevitable consequence of multi cloud doesn’t stack up. In fact, with the right cloud-centric security, the consensus was that multi cloud can make it harder for attackers to exploit your environment.
GDPR is a great enabler
GDPR was a big topic, but perhaps not in the way you might expect. Many CIOs talked about positive opportunities to “clean up”, one suggesting “We’ve been able to move away from legacy practices and lose the dead-weight applications no one understands”.
Some discussed how GDPR had triggered a review of their security posture and inefficient internal systems. “This is the moment where we could do the good housekeeping we’ve been talking about for years and deal with depositories of decades’ worth of data,” one IT leader commented.
Another highlighted how GDPR re-focussed the business on the importance of trust and doing right by your customers, causing a rethink around why they’re collecting customer data and what happens to it, followed by halting practices that didn’t deliver business benefit.
Many agree, responding to incidents robustly is critical to managing reputational damage, shareholder interests and meeting regulatory requirements. The ability to proactively detect and respond to a breach will build trust and provide assurance between partners; it is also important to lock down contractual obligations. Close working between legal teams and partners is essential to avoiding potential confusion about roles and responsibilities.
Collaborative mind sets needed to understand threats…
Collaboration is more important than ever. Attackers are increasingly sharing intelligence, tactics and techniques; businesses should do likewise. Through sharing intelligence between organisations, service providers and prominent social media companies, businesses can better understand the evolving threat landscape. One delegate suggested that “We all face the same threats, so we really need to reduce the stigma of ‘owning up’ – it can happen to everyone. If we fail to share information, then we’ll only find out after an attack, when the damage is done.”
Another added, “The idea every company will possess an army of cyber experts is unrealistic; we can’t do this individually. Companies cannot equip themselves with cyber warriors. Developing partnerships is far more realistic.”
…and to plug the multi cloud security skills gap
The skills gap and being secure across multiple platforms were further hot topics. Attempting to keep pace, continuously optimising fast-moving platforms, and countering the modern threat landscape is increasingly challenging. Against this backdrop, we’ve invested in skill sets to ensure we provision our customers with expertise across the four major public clouds; Amazon Web Services, Microsoft Azure, Alibaba and Google Cloud Platform.
In the US there are approximately 250,000 cyber security vacancies. By 2020, the figure could be in the region of 1.5m globally based on current trends. Finding and retaining talent is difficult, and increasingly expensive, especially when it’s not just a numbers game; finding the right skills in the contemporary threat landscape is key. To quote one guest, “You need the right skills to counter the threat. Modern analysts need to think like attackers to spot behaviours of an attack in progress, not just respond to tech alerts.”
Security in multi cloud isn’t just about IT
“Procurement teams have no idea what they need, so some businesses end up choosing the least cloud-led companies just because they fit with their old-fashioned RFPs”. This is from one leader who was immediately backed-up with tales of inappropriate SLAs, teams not knowing “whether to turn left or right at the crossroads” and “commercials being a driver for cloud migration”. As another guest commented, “Some people in the organisation immediately think, ‘If it’s cheaper we should do it,’ but commercials alone shouldn’t drive cloud strategy.”
The consensus on addressing these issues was to change the project delivery culture. Start with specific business requirements instead of going to market with requests for pre-ordained solutions that may not be fit-for-purpose in the context of a business’ resources or expertise. This approach avoids ‘getting lost in the tools’ and scenarios, where all that is achieved is assembling a collection of ’expensive flashing red lights’ that no one understands.
It’s important to develop a cloud-centric solution that’s capable of keeping up with the latest threats. Remaining platform and tech agnostic with the ability to automatically scale, detect new instances and deploy rapidly is crucial. Waiting for hours for security to catch up will leave a business vulnerable and exposed to threats.
The security mind set is evolving and must continue to pivot from signature-based perimeter thinking, to proactive analysis of data flows within an environment to catch what technology misses. This isn’t admitting defeat, but acknowledging threats are becoming more advanced and sophisticated. Whilst security approaches are improving, the average time to detect a threat remains around 99 days; we can do better in achieving maturity.
The reality is, by the time you get to world class data security, ‘world class’ will have moved on. The job is never done; in the proverbial game of cat and mouse, we must strive to stay one step ahead of the adversary. As with GDPR, it’s never a case of ‘job done’. May 25th is not a check box on a to-do list – security and compliance must be sustained, and continuously refined.