Cyber security and cloud security are becoming synonymous. The only difference is the deployment environment. All the principles CISOs have talked about for years — data protection, identity and access management, infrastructure and vulnerability management — are all applicable to cloud security. What's different is the technology stack. The environment in which these security controls are deployed requires extreme automation, from deployment through monitoring and remediation. The ‘what’ and the ‘why’ haven’t changed much, but the ‘where’ and the ‘how’ most certainly have.

Cloud security in the digital transformation age

While digital transformation propels cloud adoption and usage forward, it also puts institutions and businesses at greater cyber risk. Lack of cloud security skills means the business of protecting the organization operates at a distinct trust deficit. Cloud may be everywhere, but so are hackers and other criminal actors.

As cloud adoption has proliferated, the stack has changed. The cloud environment requires increased reliance on automation. It necessitates automation from deployment to monitoring to remediation. Manual intervention creates higher degrees of incident reports based on internal misconfigurations; in fact, according to research by Aqua Security, 90 percent of organizations are vulnerable to security breaches attributable to cloud misconfigurations.1

At many firms, the expectation that the cloud development team should also function as the security engineering team can be seen. That’s not realistic or sustainable in an effective way. Ideally, the security engineers are deep subject matter experts on that critical discipline and have relevant perspective on the basic structure and needs of the cloud environment. Similarly, cloud developers should be conversant with the role of security, but spend the majority of their time designing systems, coding, and analyzing and maintaining the virtual environment. Certainly, organizations should expect cloud developers to embed security in their products to a much greater degree, but development teams should never be the security backstop.

Additionally, the skillset consistent with a traditional security road map are is not necessarily right for cloud and cloud security deployments. It is easier for a cloud-native developer to get up-to-speed on security practices than for a traditionally trained security professional to understand the nuances of cloud development. In today’s world, open source, ‘infrastructure as code’ and the corresponding tools for provisioning cloud infrastructure are essential for all types of cloud environments.

The key skillset for cloud and cloud security is the developer skillset — the ability to write code and script and understand how DevOps works. Teaching professionals with that perspective the tenets of security, rather than security professionals how to write code, is a more effective strategy.

Karel Dekyvere
Director, Technology Advisory
KPMG in Belgium

What’s your move?

When it comes to security, cloud transformations must prioritize a broad array of regulatory and contractual factors. In terms of regulation, the veritable ‘alphabet soup’ of regimes — General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Directive on Security of Network and Information Systems (NIS Directive), Payment Card Industry Data Security Standards (PCI DSS), etc. — continue to drive compliance complexity, especially around security, and should be top of mind. In this environment, security teams are encouraged to add cloud security posture management (CSPM) to their toolbox. These automated class of tools offer pre-configured policy checks mapped to specific regulatory regimes to help identify cloud-related misconfiguration issues and compliance risks. With the click of a button, potential misconfigurations can be scanned and identified.

On the contractual front, both cloud providers and the companies that use their services are entering into shared responsibility agreements that often are misunderstood, especially on the client side. As a result, ownership of security of the cloud versus security within the cloud can be a murky concept. It becomes even more vexing when analyzing platform, infrastructure, and software as a service. Organizational security teams should promote the view that all data that sits in the cloud is the responsibility of the organization. On that basis, data needs to be encrypted (where appropriate, of course), and protected with the relevant controls.

CISOs and their teams are encouraged to work with business partners to help ensure everyone understands cloud-specific security requirements and collaborate with the provider to avoid misconfigurations. Organizations that take this approach and seek to remain informed cloud customers, can position themselves for success.

You can also think of it as a subtractive model. This means that as you move from infrastructure as a service (IaaS) to software as a service (SaaS), the security team is responsible for less and less of the security estate. Either way, with the accelerated march to the cloud, enterprises should be ready to secure their own cloud-based data, especially through automation tools and protocols, within every type of contractual relationships.

To help ensure that cloud deployments feature the right level of security that is fit for your organization and its risk profile, rich features and functionality, a strong recommendation is to build a dedicated cloud security team that is centralized from a governance perspective and distributed across the organization when appropriate. Once structure and skills are securely in place, this team can be distributed into, or aligned with, specific business units. Continue to automate everything you can, where appropriate, particularly in the areas of deployment, monitoring and remediation.

Security architecture and knowledge of your cloud provider’s technology and security stack will likely be key in automating your security controls and strengthening your overall security posture. The cloud doesn’t protect and heal itself but knowing your options and security obligations can make it much easier to efficiently deploy leading security controls.

Andreas Tomek
Global Cloud Security Leader, KPMG International
Partner, KPMG in Austria

Some key actions to consider for 2022

  1. Automate your cloud security, especially around deployment, monitoring and recovery, eliminating manual processes
  2. Build a centralized cloud security team that comes from the development ranks versus leading with traditional security skills
  3. Lock in the operational responsibilities in a shared model, defining which entity is responsible for security in the cloud and which entity has responsibility for security of the cloud
  4. Look to security posture management tools that have pre-configured policy checks mapped to different regulatory regimes
  5. Construct an incident response process that is in sync with your broad cloud strategy