The IT security and threat landscape has changed dramatically with the transition to cloud computing. But while most companies now consider themselves to be primarily cloud-based, their approaches to managing related security risks have not evolved at the same pace.
On May 30, experts from Cyderes and a large U.S. retailer held a live webinar to discuss current approaches to cloud security – and how those could be improved.
Maturity Models Are No Longer Adequate
A widely used approach to securing data and assets in the cloud today is the so-called maturity model. This model relies on NIST guidelines, CSA compliance recommendations, ISO standards and CIS best practices to: 1) assess an organization’s readiness to use cloud services; and 2) define steps to optimize the maturity and capabilities of its cloud security controls.
Jeffrey Moore, the CISO of office-supply giant Staples, noted that the maturity-based approach “worked well when everything was on-prem and you had control of all your assets and areas, and it was a smaller environment.” But nowadays, he added, “the business is owning a lot of things in the cloud. They’re getting their own controls and building their own little pods. And they’re not as tuned up on security.”
With the maturity model approach, Cyderes Cloud Security Practice Director Patrick Carter said, “you’re wrapping that protection around your entire environment – you’re not looking at how to best protect your data. The question is: are you putting some of your most critical data that should be protected into Azure or AWS or Google Cloud?”
While cloud service providers offer a lot of high-quality tooling and work with vendors to complement that, Cyderes VP of Product, Jason Sloderbeck stressed that “it’s still the classic security challenge of people and process.” That challenge has grown, he added, since there are now significantly more people involved than ever before – not just the SOC and security teams as before, but also software developers and DevOps and IT personnel, “who all have to get on board.”
Pivoting to a Risk-Based Approach
If the maturity model is losing viability, what’s taking its place? Enter what is known as the risk-based approach to cloud security.
This approach helps organizations proactively determine the extent of their cloud infrastructure and what data they have moved to the cloud, along with understanding and prioritizing the major risks associated with that cloud presence in relation to the business.
Carter outlined four steps organizations should take in transitioning their maturity-based methodologies to be more risk-focused.
The first – and hardest – step is identifying cloud use cases, in other words defining and documenting how the organization consumes cloud resources and what data it puts in the cloud.
Once that step is taken, organizations can start to identify, prioritize, manage and measure their cloud security risks, which in turn permits them to define thresholds of acceptable risk.
From there, it is possible to start building controls, alerts and response plans aligned to each risk.
Importantly, Carter said, this analytical approach should encompass not just qualitative risk assessments but also more quantitative measurements (e.g., assigning dollar values to each risk) in order to determine the investment needed to properly protect data.
Benefits of a Risk Focus
One of the biggest advantages of a well executed risk-based approach to cloud security is enhanced visibility. “You know where the data is, who owns it and where it’s going,” said Moore. “You’re not focusing on small chunks of it but seeing a bigger picture and where you can prioritize your resources and controls.”
Carter added that a risk-based approach can be tailored to each individual application and development cycle, and it integrates much more easily into an organization’s DevOps environment.
And while a risk-based approach directly improves security effectiveness, it has a broader upside as well. Sloderbeck put it this way: “Taking the time to identify, prioritize, manage and measure helps you define your high availability and support model from the cloud side as well as from the security side. Once it’s done correctly, there’s a benefit for the business as a whole.”
The expert panelists addressed several other cloud-related issues during the hour-long webinar, including governance, data protection laws, regulatory compliance and the role that artificial intelligence will play in cloud security. They also agreed on the crucial need for employee training and continuous learning. As Moore said, “If you stop learning in this field, then game over.”
Watch the Replay of the Cloud Security webinar
Watch now to gain valuable insights and practical tips to help you build a risk-based approach to securing your cloud environment.
Take Your Cloud Security to the Next Level
Our team is here to help. Schedule a time to connect with our team of leading Cloud Security experts for an assessment of your cloud security architecture.