Skip to main content

Prioritizing Security in a Multi-Cloud World

By: Scott Manson, Managing Director, Middle East & Turkey, McAfee

Cloud awareness and adoption continues to grow, as more enterprises take advantage of the benefits that come with multiple cloud platforms. In fact, in a recent Voice of the Enterprise (VotE): Cloud Hosting and Managed Services study, conducted by 451 Research, 90% of respondents indicated they have some type of cloud services in place and several are already using multi cloud environments. Closer to home in the Middle East, research by MarketsandMarkets predicts that the cloud market in the region will triple to $2.4 billion by 2020, driven in large part by adoption of multi cloud.

But on the flip side, we’re seeing an increase in cloud related security incidents. According to research from the October 2018 McAfee Cloud Adoption and Risk report, the average organization generates over 3.2 billion events per month in the cloud, of which 3,217 are anomalous, and 31.3 are actual threat events. This is cause for alarm given that 21% of all files in the cloud contain sensitive data (up17% over the past two years).

Against this backdrop, whether you are switching up your multi-cloud strategy or starting from scratch, here are a few things your organization needs to know first about multi-cloud.

Determine what features will either make or break your multi-cloud strategy
When picking the best multi-cloud structure for your business, be bold. Build a vision for what you need cloud services to do for your company―worry less about “how” and more about the “why” and “what” you need from your providers. The reality is that top cloud providers in IaaS/PaaS and, separately, SaaS spaces, are offering extremely versatile capabilities and compelling value. It is important to understand what features are critical and which ones change the way your organization works when it comes to selecting vendors.

Outside of single requests for a new or different capability, your organization needs to rationalize the different needs for each, down to “collections” of related needs. For example, consider SaaS for well-known, repeatable needs first, then look to move or re-deploy capability into IaaS or build natively in PaaS for efficient applications.

Security measurements are important when architecting a multi-cloud structure
First and foremost, avoid looking at your new cloud infrastructure as a separate environment. It’s not merely a new data center, so an organization also needs to consider how switching to a cloud infrastructure will shift how the organization secures assets. Consider looking to resources like the MITRE ATT&CK matrix and the Center for Internet Security’s Basic and Foundational Controls list as a guide for answering this question: “In the future, how do I maintain unified visibility and security when I incorporate new cloud providers?”

For a successful multi-cloud migration, use your cloud access security layer and a platform that ultimately unifies your policy and threat identification approaches. Identity is another common challenge area. Moving to the cloud at scale often requires your organization to “clean up” your identity directory to be ready and accommodating of shared sign-on. By using an identity management and/or aggregation platform to expose identity to well-known cloud services, you will be able to ease the cloud implementation burden and threat exposure of any given provider.

Ensure compliance
It’s important to know that your organization’s compliance requirements are not mitigated or transmuted simply because the data has left your internal environment and entered the one your cloud provider(s) uses. As your organization matures, the way you manage and align your cloud provider’s capabilities to your compliance requirements should evolve accordingly.

Initially, ensure that your company requires business unit executives to apply or accept the risk of compliance obligations where service providers may not have every requirement. Your legal team should be a part of the initial purchase decisions, armed with technical knowledge to help identify potential “rogue” cloud services and policy guidelines that dissuade employees from adding services “on a credit card” without appropriate oversight.

As your organization gains more experience with the cloud, request that providers share copies of the SSAE16 attestations / audits. This, together with more formal due diligence processes, should become commonplace. Organizations looking to advance in this space would be well-advised to look at the Cloud Security Alliance’s STAR attestation and the associated Cloud Controls Matrix as a ready accelerator to benchmark cloud providers.

Secure buy-in from exec/C-level on a multi-cloud strategy
Use of cloud services should reflect the strategic focus of the business. Technology leaders can leverage the benefits of these services to underpin initiatives in efficiency, bringing innovation to market and controlling costs. To strengthen this message, technology department heads should consider the metrics and operations adjustments that will allow them to demonstrate the enhanced value of the cloud beyond just the bottom line. If you are trying to get exec/C-level buy in, consider the following:

  • How will you measure the speed of introducing new capabilities?
  • Are new areas of value or product enhancement made possible through cloud services?
  • How will the organization measure and control usage to hit your cost targets?
  • How do you know whether your organization is getting what you have contracted for from cloud providers?
  • Do you have a mechanism for commercial coverage of the organization when things go wrong?

Protect your organization and secure the cloud
Organizations will often “upgrade” in some areas of basic security (perimeter, basic request hygiene) when making the move to well-known cloud providers. How the overall security posture is affected depends heavily on the level of diligence that goes into onboarding new cloud providers. Implementing critical technical measures like the Cloud Access Security layer and policy around how the cloud is procured and technically implemented should drive basic control requirements.

As the number of cloud providers scales in the environment, your organization needs to assess and document them based on how much your organization depends on a given service and the sensitivity of the data those services will hold. Services that are prioritized higher on these two fronts should have increased organizational scrutiny and technical logging integration in order to maintain the overall defensive posture of the company.

Finally, as with any other technology trend, the missteps in making the transition to business and consumer cloud services have received outsized coverage. Take the time to dive into the “hows” and “whys” of early cloud breaches to avoid becoming a potential victim—after all, when it comes to security, it is better to learn from someone else’s (unpleasant) experiences!

- ENDS - 


Popular posts from this blog

Snap Tube can download any video in your regional language

Snap Tube is an Internet Company founded in 2016 with the objective in providing services in the mobile related products and services. Within a span of 18 months, Snap Tube gained lead place in the global market by its satisfactory service to its esteemed consumers. Snap Tube started new feature in India where the user can use the app in his mother tongue, where Snap tube is coming up with the introduction of Indian Regional languages. Namely Hindi, Tamil, Telugu, Bengali, Gujarati, Malayalam, Marathi, Urdu and Kannada.
Snap Tube is now operated and available in more than 100 countries and recognized as trust worthy around the globe. Now there are more than 40 million downloads across the world and everyday more than 10 million users are getting the benefits of the application.
Snap Tube is a tool designed to download videos in a simple, fast, and convenient way from YouTube, Facebook, Twitter, and Instagram. It is a user friendly and with this application user can download the video…

Insurtech startup Kruzr raises $1.3 Million from Saama Capital and Better Capital

InsurTech startup Kruzr has raised 1.3 Million USD (Rs. 9.5 Cr) for its seed round led by Saama Capital with participation from Better Capital. Kruzr is a preventive motor insurance technology which helps insurance companies personalize policy premiums & improve their risk model by delivering an engaging preventative driving assistant to their customers. Kruzr is founded by Pallav Singh, Ayan, and Jasmeet Singh Sethi.

Kruzr blends the power of voice technology and artificial intelligence in its personal driving assistant that helps drivers minimize mobile distractions, drowsy driving, speeding and external risks like weather and accident-prone zones. In pilots with insurers, Kruzr managed to cut down distracted driving by 80%. Kruzr is working with motor insurance companies in Europe, UK and India to bring its technology to their customers to prevent accidents & improve claims.

“Road accidents cause over 1.3 million deaths globally every year, and motor insurance companies los…

Going Beyond the Buzz in 2019-Understanding 'Digital'

By: Chris Pope, Global VP of Innovation, ServiceNow

There are college degrees in computer science and software engineering that feature various different programming languages and methodologies. Looking further, there are technical architecture courses and many extended forms of tuition designed to school us in every aspect of technology you can think of. Yet, despite all these channels of teaching and the many books that have been written to explore our world of technology, we appear to largely fail when it comes to formalising a wider approach to simply ‘teaching digital’.

Understanding digital, the subject, the discipline itself, is a prerequisite if firms are going to actually appreciate where new and emerging technology will have an impact on an organisation.

A responsibility to embrace digital
The consequences of not embracing digital and the process of moving fundamental work operations to new cloud-based, services-driven platforms leads to something of a vicious circle. Firms st…

Best Five Apps to Help You to Keep Your New Year’s Resolutions

Millions of people will declare their resolutions for 2017. Whether you're resolving to lose weight, get fit, pay off your debt, or just be more grateful for the life you've got, it can be notoriously difficult to follow through in the long run. But put technology on your side and give it your best shot. Here are best five apps designed to help you stick with your New Year's resolutions and achieve your goals.