While organisations continue to reap the benefits of cloud computing, they are confronted with questions associated with onboarding data to cloud and redesigning the existing cloud security controls to safeguard from ever-involving data breach and cyber incident patterns.
Today’s cloud is much richer and more nuanced than it was at its inception, over ten years ago. Cloud consumers now have more native options, stronger security and privacy tools, and enhanced measures for detecting, responding to, and preventing security breaches. As the processes, regulations and knowledge surrounding the cloud continue to improve, these advances have increased customer confidence and eased the burden for IT functions.
Historically, data security has been one of the biggest obstacles to cloud adoption. In fact, many clients still hesitate in migrating their entire data landscape to cloud. Further, with burgeoning data breach and cyber incidents, organisations struggle to establish right-fit data controls across their multi/hybrid cloud environments. So, it’s important to understand some of the common security concerns to separate them into assumptions versus realities, as well as leveraging appropriate cloud controls to ensure data security.
In this context, what are the prevailing assumptions which impede data on cloud adoption, and how can you redesign existing security controls to enable enterprise data trust on cloud?
Prevailing assumptions and their realities
With the continued rapid adoption of cloud, especially with the deliverance of artificial intelligence (AI) services, it becomes imperative to bring most of the data to cloud in order to yield maximum benefits.
For many enterprises the data migration is hindered due to following prevailing assumptions/myths:
- Assumption - Cloud security is far too difficult to maintain such as implementing 3:2:1 backup rule on multi/hybrid cloud scenarios, etc.
- Reality - The same standardisation applied to on premise security management can be applied to cloud security management.
- Assumption - Cloud security costs more
- Reality - Automation offerings and feasible infosec integration options helps enterprises withhold 100:10:1 (engineers, ops, infosec resp.) workforce ratio. Thus, balancing people cost and optimizing employee productivity.
- Assumption - Cloud is inherently insecure
- Reality - A multi-tenant cloud would be more secure, because it makes it difficult to target a particular company or data set.
- Assumption - There are more breaches in the cloud
- Reality - When the correct security policies for preventing attacks and detecting them are implemented, attacks are no more threatening to the cloud than any other piece of infrastructure.
- Assumption – Establishing the security controls is one-time initiative (static process)
- Reality – With ever-involving threat patterns / data breach incidents and evolution of cloud security controls, establishing cloud security becomes a dynamic process. It demands iterative approach for improvising security controls and ensuring data sovereignty.
There is no shortcut for devising data security strategy and cutting corners will produce daunting results in the future. Hence, data security is something which needs to be built brick-by-brick in a standardised manner. Though cloud offerings provide adequate security controls, there are legitimate residual challenges for security on cloud -
- Governance & Compliance:
The enterprises require streamlined mechanisms to-
- Comply with government mandates/regulations and enforcement of organisations policies
- Manage data availability and BC/DR in cloud
- Store the customer records in the required geography with adequate regulatory norms
- Digital Identity:
- Frame a flexible and centralized ‘Identity and Access Management’ strategy
- Process to request, authorization, certification, and audit processes
- Extend SSO solution to Cloud Apps and review the security of implementation (APIs)
- Data Privacy & Protection:
Across multiple industries, organisations struggle to-
- Migrate sensitive data (personal, health, finance) into the cloud
- Establish adequate data privacy guardrails such as, sole tenancy and data purge mechanism
- Resolve security concerns for the communication channels between the cloud and existing infrastructure
- Cyber Defence:
- Ensure adequate and in-time knowledge about a security incident or a data breach
- Integration concerns with cloud provider security capabilities for monitoring and incident response
- Enablement know-how for advanced analytics, advanced vulnerability management and active defence
Enabling enterprise data security on cloud
Whether the enterprises are in initial stages of their data migration to cloud or are already living on cloud, the KPMG Data Security on Cloud module furnishes an assessment approach for optimising the cloud security controls by identifying key data profiles, classification criteria, associated risks along with technology (process and tool) evaluation and detailed architecture design. This leads to holistic data security strategy and plan to establish enterprise data trust. The KPMG capability has vast experience in resolving the cloud security challenges for multiple large enterprises delivering tangible results.
- Data discovery
Analyse the underlying data subject areas, systems of insight to determine current level of risks associated and redundancies within security. To understand the gaps and for analysis, leverage KPMG’s Cloud Data Security Controls Framework.
- Data security characterisation
Determine the data security requirements including data classification, data store protection, data loss prevention, data compliance with infrastructure controls and design technology guardrails for detailed security design and pilot implementation, with KPMG’s Cloud Data Security Cartridges.
- Strategy & Actionable Roadmap
Define enterprise strategy for data security rollout, implementation plan and feedback procedures for remediation.
Organisations that are committed to digital transformation will develop and implement data security strategies that reduce risks and will continue to do so in a sustained manner as the security landscape evolves. Once data security principles have been established, the rest of the transformation journey involves collaboration between business users, IT, technology, and the data community to be clear on the objectives for the data usage and how the tools will become embedded within day-to-day operations and decision making. This collaboration is essential to ensure successful adoption of new tools and ideas, but also essential to progress on your journey to become a data driven organisation.
For more information on how KPMG can help you drive maximum value from your data security journey, please get in touch.