Your Cloud Security Journey

The term "Cloud Computing" was first coined by Google at an industry conference in 2006 and has since become a regular part of our vocabulary, even extending into pop culture through movies and sitcoms. Despite its widespread adoption, many organisations experience unrealised benefits and security issues after migrating to The Cloud. Having worked with clients at Google Cloud and Telstra, I’ve observed that overlooking essential areas of cloud strategy compromises security and hinders the full potential of cloud adoption.

Whether or not you consciously plan to move to The Cloud, your organisation is likely already there. If you use Software such as Salesforce or Dropbox, you use a cloud technology called Software as a Service (SaaS). SaaS technologies are readily accessible, usually requiring little more than a credit card, leading to unapproved use of applications in organisations known as Shadow IT. Shadow IT poses significant risks, including improperly licensed software, licensing violations and cost overruns. These unauthorised applications often lack the proper security controls, leaving your organisation vulnerable to cyber attacks and data breaches.

Given the risks of unsanctioned cloud computing use, it’s crucial to get controls in early, regardless of the stage of your cloud journey. Measures to protect your environment can involve enforcing financial and IT policies, monitoring corporate credit cards and technical solutions such as Cloud Access Security Brokers (CASB).

I’ve seen three key overlooked areas for organisations planning their cloud strategy: technical transformation, people and organisational structure. Failure to appropriately address these leads to security vulnerabilities, wasted costs and resistance to new technologies. Getting it right requires understanding the uniqueness of cloud technologies, ensuring your teams have the necessary skills, and restructuring them for agility.

Technology Transformation

Traditional infrastructure operates in a three-tier architecture: Web, application and data, with each tier hosted on separate hardware, each running its own operating system and software and connected by physical networks. While running a similar environment in The Cloud is possible, this is not where its actual value lies. Platform as a Service (PaaS) and, more commonly, SaaS environments are where many cloud journeys start. However, organisations must consider cloud technologies such as Serverless Computing, Compute Services (VMs, Kubernetes) and Cloud Functions to truly benefit from The Cloud.

Unfortunately, often due to time or cost pressures or lack of strategy, it is common for organisations to fail to transform and simply lift and shift their existing infrastructure, leading to limited benefits and increased risk. This is especially true of cyber security, where failing to implement cloud-native security features like automated encryption and integrated threat detection leads to weaker security and increased future costs. When planning your cloud journey, ensuring true transformation and embracing advanced technologies is crucial for maximising your security and return on investment.

People

As you can see, cloud technology differs from traditional infrastructure, as does the need for different skills. However, Organisations often repeat the mistake of failing to invest in training their team leading to difficulties in retention or finding suitable trained help. This is especially true of cloud cyber security specialists, whose skills significantly differ from traditional security approaches.

I have often seen projects come to a halt because the cyber security team does not have the right skills due to the difference in cloud technologies. If we take Serverless Computing as an example, events, not pre-defined IP addresses trigger code execution, therefore it is no longer possible to rely on the IP address when investigating potential malicious activity. Imagine asking the Security team to secure such an environment if they don’t already have the skills and tools. Upskilling the Cyber Security team before migration ensures they are prepared and don’t become a project bottleneck.

Organisational Structure

Organisational structure is another frequently overlooked aspect. Teams built for traditional infrastructure may struggle with the dynamic nature of Cloud Services. Unlike traditional software with updates controlled by your technology team, Cloud Services undergo frequent modifications from providers, often with little warning. With a combined 500 services across the three major cloud providers, it is a significant challenge for security teams to ensure these changes remain secure. Rethinking team structures to be more agile and collaborative is crucial for effectively managing and securing Cloud Services.

Responsibilities also differ. Unlike traditional IT where the organisation has complete control over its software and possibly even hardware, in The Cloud, those responsibilities shift into a shared responsibility model where responsibilities are divided between the organisation and cloud provider. Understanding these models is crucial when re-designing team structures. 

In summary, to ensure a successful cloud security journey, make sure you consider the following:

• Technology Transformation. Avoid “lift and shift”. Simply migrating existing infrastructure to the cloud doesn’t unlock its full potential, especially cyber security.
• People. Focus on cloud security expertise. Invest in skills and training to upskill your cyber security team before they are needed so they don’t become a roadblock.
• Organisational structure. Rethink how teams will manage and respond to new technologies with consideration given to Shared responsibility models.

A successful cloud journey requires a holistic approach, addressing not just technology, but people, processes and organisational structure.

Contact me if you need assistance with your cloud security journey.