Cybersecurity in the Cloud: Safer Than You Think [Podcast]
The explosion of cloud computing has connected more people than anyone ever imagined. But the massive numbers of companies migrating to the cloud has also amplified the urgency of data security and regulatory compliance as well.
Cloud Migration Is Relentless
The migration to the cloud has been relentless. It turns out that 96% of today’s enterprises are using at least one public or private cloud, according to RightScale’s 2018 State of the Cloud Report. And Forrester’s experts predict that public cloud expenditures will grow from $146 billion in 2017 to $236 billion in 2020.
Meanwhile, digital workers are spending enormous amounts of time in the cloud. Approximately 80% of tech company professionals are using cloud-based apps, according to Citrix. And at companies with flexible workplaces, 57% of professionals are working in the cloud.
Don’t Get Snagged on the Insecurity Myth
The skeptics get snagged on lingering assumptions that cloud technology is insecure. But it’s hard to be skeptical when the best cloud vendors may be more expert at cybersecurity than many inhouse IT administrators.
Perhaps the trust gap is perpetuated by the numerous data breach horror stories that litter the Web. But don’t let the cyber smash and grab headlines stop you from giving cloud the benefit of the doubt.
“You know, it is probably true that the safest way to secure yourself is to just unplug from the internet,” says Omesh Agam, Chief Information Security Officer at Appian. “But, you know, kidding aside, my view is that you have to institutionalize security as part of your business model.”
“For example,” says Agam, “we have all these security frameworks that we maintain compliance with. Maybe the answer is pick the highest framework, the highest baseline, and make that your standard.”
Raising the Bar on Security Standards
“From my perspective,” says Agam, “certainly for many of the organizations we’ve talked to—as well as here at Appian—we have a myriad of compliance certifications that we have to maintain to provide a base level of assurance to customers, as well as to ourselves that we’re operating in accordance with the highest industry standards.”
Agam also mentioned the challenge of keeping up with ever-changing global regulations and security laws that follow your data around the world. He says that compliance laws can be both region-specific and cut across boundaries as well. Which makes safeguarding your data that much harder.
“Vulnerabilities are coming faster and faster,” says Agam, “with the explosion of digital trends like IOT (Internet of Things), there’s also the challenge of monitoring your own internal and external infrastructure.”
Cyber Attacks Spreading Like Wildfire
“And then there’s the challenge of modernizing security with DevSecOps, not to mention protecting your data from the threat of ransomware and malware that’s spreading like wildfire. So, we still have to do basic security administration for some of the more advanced attacks that are coming at us all the time, says Agam.”
Anywhere from 300,000 to a million viruses and other malicious software products are created by hackers every day. This includes the usual suspects—DDoS attacks, data breaches, ransom demands, and theft of proprietary information. And that’s just the tip of the iceberg. From a business standpoint, cybercrime drains a staggering $600 billion a year from the global economy, according to the Center for Strategic & International Studies.
Cloud Is Safer than Many Legacy Systems
Meanwhile, to protect against cybercrime, many organizations are pumping up their security budgets. In fact, Gartner predicts that worldwide security spending will reach $96 billion in 2018, up 8% from 2017.
CNBC recently reported that cybercrime is the fastest-growing crime in the U.S, costing billions in lost productivity and stolen information. The good news is that managed cloud security services can do a better job of protecting your data against cyberattacks than on-premises systems. So say the cloud experts at Gartner.
- In 2018, the 60% of enterprises that implement the right cloud security tools will experience one-third fewer security failures.
- Through 2020, public cloud Infrastructure as a Service workloads will suffer at least 60% fewer security incidents than those in traditional data centers.
- Through 2022, at least 95% of cloud security failures will be the customer’s fault.
The Security Risk Is Marvin in Marketing, not the Cloud
If the math makes you shrug, consider the fact that financial regulators—among the most security-minded officials on the planet—have given banks the green light to move their data to the cloud.
The thing is, the security challenge is not in the cloud. It’s not in the technology. It’s in upgrading organizational policies and training for the digital age.
What should make you shudder, though, is the fact that in most cases, human error is the main cause of security breaches.
Yep, it’s usually just Marvin in marketing, who unknowingly downloads a malicious file and exposes your organization to cyber attacks.
It all ties back to the gap between cybersecurity and employee training. The disconnect is that about one-third of employees aren’t receiving any cybersecurity training, according to a recent study by the Financial Planning Association’s Research and Practice Institute (FPA).
On average, employees receive less than two hours of security training per year, according to the FPA study.
Which feeds into the narrative that the biggest threat to your organization’s security is not cloud technology but the gap between security policy and employee training.
Nonetheless, 48% of enterprises don’t have an employee security awareness program, according to Forbes.
Compliance in the Cloud
On the compliance side, the best cloud services cover all of the major security domains and controls, including:
- Association of International Certified Professional Accountants (AICPA) cybersecurity risk management reporting framework to ensure vendors safeguard information and privacy, for Service Organization Control (SOC) 1,2, and 3 reports.
- Payment Card Industry Data Security Standard (PCI DSS), which is an international framework for data security standards to ensure vendors maintain a secure environment to accept, process, store or transmit credit card information.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is US law that provides data privacy and security provisions for safeguarding medical information.
Moving to the cloud offers enormous amounts of low-cost computing power, which is precisely what you need to stay ahead of the hackers.
Sharing the Control Stack
Without the enormous security intelligence capability of a cloud platform, detecting suspicious patterns in massive amounts of operational data would be like mission impossible for most enterprises. Managed cloud services also makes it easier to keep up with security upgrades and scale up operations at speeds not possible before.
“So, we are seeing a huge push from traditional on-premise environments to cloud,” says Agam. “And the reason is, moving to the cloud allows organizations to concentrate on what their business applications are designed to do.
“Now, that doesn’t mean you can forget about compliance in business and security requirements,” says Agam. “It means moving towards a shared controls framework. And what that means is that you’re now sharing the control stack with someone else.”
Agam also adds that if your organization is moving to an Infrastructure as a Service provider, and you’re building a virtual service with them, it doesn’t mean you get to ignore physical security as a base requirement. On the contrary, it means that you should work with your infrastructure provider and evaluate what they do for security instead. You can also start to look at what kind of vendor audits they do, and add that to your due diligence framework.
Continuous Multi-layer Monitoring
“Now, you don’t have to evaluate whether a vendor’s servers are being hardened,” says Agam. “But maybe you want to see what they do to measure up to your security standards, like continuous monitoring, right? At Appian, we have continuous monitoring of multiple layers with our infrastructure providers at their physical hardware level, their data centers, servers, and platform level as well.
“You don’t get to ignore basic logging and monitoring hygiene just because you’re using a SAAS provider,” says Agam.
As for cloud trends that should be on your radar for 2018 and beyond: More than 85% of enterprise IT organizations will commit to multi-cloud architecture by 2018, according to IDC. About 75% of developer teams will include cognitive/artificial intelligence functionality in cloud applications. And most of these will be sourced from the cloud.
Additionally, cloud migration will accelerate, fueled by the latest advances in cloud-based encryption, blockchain and digital compliance services.
Are You Ready for General Data Protection Regulation?
You will find more infographics at Statista.
Speaking of compliance, the Harvard Business Review recently reported that U.S. lawmakers are circling waters bloodied by ongoing revelations regarding potential abuse of Facebook’s social media data. (It’s easy to ignore social networking as cloud computing, but it is). And major data breaches at numerous major brands have amplified calls for tougher regulation of digital companies.
The drumbeat of regulation is even more intense in Europe, where the General Data Protection Regulation (GDPR) will take effect this spring, representing a major overhaul of the region’s data protection rules.
With the implementation of GDPR, companies will have to report data breaches to regulators—and inform customers—within 72 hours. And the cost of non-compliance? In a word, steep. Violators could get hit with a €20 million euro fine, or forfeit up to 4% of their global revenues, whichever is greater.
GDPR hasn’t stopped digital leaders from migrating to the cloud. To put things in perspective, public cloud spending will grow at nearly seven times the rate of overall IT spending, according to IDC. By 2020, public cloud spending will reach $203.4 billion worldwide, from an estimated $122.5 billion in 2017.
Experts: Public Cloud to Continue Trending Up
In the era of GDPR, it’s easy to underestimate demand for public cloud by large companies. But the math is hard to ignore. Organizations with more than 1,000 employees will account for more than 50% of cloud spending. And, big brands will experience the fastest growth of any cloud segment. So says IDC.
So, if you’re thinking about stepping up to cloud adoption, but you’re worried about data security in your enterprise operations, what should you do?
“I think there’s a few approaches you can take,” says Appian’s Agam. “Number one, from your own internal organization, you should take stock of your most critical assets, and understand how data flows inside and outside your organization.
Agam also says that if you’re partnering with a cloud provider, it’s important to understand which of your most critical data assets will be managed by your cloud service provider.
Know Security Requirements for Your Data
It’s also essential, he says, to know the security requirements that go with that data, because that’ll let you have a more open and honest conversation with your cloud vendor’s security officer about your compliance and regulatory requirements.
“Talk to their security officer,” says Agam. “And try to make sure they understand your industry. It’s important that they have the ability to speak your (industry) language. So, while they may not have the same security controls that you have, they may be able to demonstrate how what they’re doing maps to your requirements.”
Security Review Not Just Cloud Vendor’s Job
“Your security review of a cloud vendor is not a one-stop or one-time activity,” says Agam. It’s a continuous process that’s continuously evolving. You should constantly maintain it, which means conducting security reviews on a regular basis, whether you do it once a year or twice a year. Conduct audits by reading your vendors audit reports, their SOC reports, their PCI reports.
“If you’re a federal customer,review their FedRAMP certification documents. Because the only way to know if something’s working is to test it, and getting these independent audit assurances is a good way to manage your continuous monitoring program, without having to do a full out audit yourself,” says Agam.
What it all comes down to is this. Security in the cloud—and on premises—is about adopting the right mindset.
The essential lesson: Take a policy-based approach to controlling what people can and can’t do with your business-critical data, across your organization.
Check Out the Podcast
In this thought-provoking podcast, Malcolm Ross sat down with Appian Chief Information Security Officer, Omesh Agam to take a fresh look at how to keep your data, applications and infrastructure secure in the cloud. Check out the conversation and learn:
- How to choose a cloud partner you can trust
- The latest mega trends in cloud adoption
- The top security management frameworks and standards
- The importance of audits and compliance in the cloud
- General Data Protection Regulation and why you should care about it