Europe Sub Menu Opened
Americas Sub Menu Opened
Asia & Pacific Sub Menu Opened
India & Middle East Sub Menu Opened

Africa
< Technology Trends

Underground or in the Cloud: The Reality of Risk

comments.png liked.png
comments.png

November | 2021

Underground or in the Cloud: The Reality of Risk

Wipro and AWS had a great interaction over a two-day round table from September 13 to 15, 2021, with senior security leadership across various industry verticals. This was followed by a panel discussion on day three at the GDS Security Summit titled – ‘Building a Positive Security Culture Around the Business’.

This article summarizes the discussions and the key learnings from the recently concluded roundtable. 

Risk is omnipresent and uncontrollable

Risk, by its very definition, is deemed uncontrollable; and the need to invest in security is an absolute realization across the board. With new threats emerging constantly, responding to them is becoming costly and time consuming.

The roundtable focused on best practices around: 

  • Emerging and new threats and how can they damage the business
  • Tools and technologies emerging to combat new threats
  • The right approach – reactive or proactive
  • Various strategies to improve the stance of the organization’s security 

Business imperatives and challenges

The key imperatives discussed at the roundtable included:

  • The board needs to be more interested and involved in cyber and cloud governance. Organizations are forced to find modern ways to secure their cloud environment. 
  • There is always a tradeoff between selection of native and third-party security controls in case of cloud. How to balance security and ROI leveraging combination of cloud native and third-party solutions?
  • How do I provide assurance to my internal customers (LOBs) on security and compliance adherence of different business applications hosted on the cloud platform?
  • How to identity fatigue and issues around entitlements?
  • Is Zero Trust a myth or reality – Is this an aspirational journey or something else?
  • Cybersecurity is an area of niche skills, with cloud security elevating it to another level. How do I handle the challenges of lack of staff with the skills to manage security of cloud?

Observations and recommendations

  • Board buy-in and support: Company boards have started taking interest in security matters more than ever before. The conversations between the board and security teams have evolved, with the board being more aware and cognizant of serious implications on security. There should be constructive dialogue and cadence between the board and CISO / security group to review security risk posture of the organization and security should become part of board.
  • Better return on investment (ROI) while being secure: Organizations often need to pick a combination of hyperscaler provided native security services and third-party solutions. There is a need for a “multi-cloud security controls framework” and careful selection of hyperscaler native and third-party security controls to ensure that the requisite level of security is aligned to the technical requirements, to achieve better ROI. It is also recommended for organizations to identify and enforce uniform / common security controls across your multi or hybrid cloud environment.
  • Security risk posture visibility for lines of business (LOBs): Providing the right set of visibility of security risk posture for various business applications running in the cloud is one of the key KPIs of the IT or security organization. It is recommended for organizations to look for capabilities, frameworks or solutions that continuously monitor the cloud environment from a security perspective. It should be able to provide continuous risk and compliance adherence view of business applications through a single pane of glass with easy visibility to the LOBs.  
  • Identity and entitlement issues: Cloud based digital identities can scale up quickly. The entitlements and permissions can become complicated while figuring out who has access to which data across the cloud platforms. This may result in high-risk and over permissioned identities creating intentional or unintentional damage in your environment. It is recommended to apply the principle of least privileges and adopt a CIEM (Cloud Infrastructure Entitlement Management) framework to get visibility into over provisioned and inactive identities, cross account access and other related aspects.
  • Zero Trust – Next wave to ride on: While no security is foolproof and data breaches will probably never be eliminated, Zero Trust helps reduce the attack surface to minimize the cost and time spent on responding to data breaches. It works on the principle of ‘trust no one and verify everyone’. It aims to bring tighter security for users, devices, and connections – every time. Depending on the maturity of the organization, it is recommended to start exploring how Zero Trust helps in meeting technical requirements and provides assurance to security initiatives. Keep in mind that Zero Trust is a continuous process!
  • Cloud security skill challenges: Cloud security skill shortage is a key pain point for IT security and hiring teams and is likely to escalate in the future. Cloud security skills are hard to find and often come with a premium. One of the ways to overcome this challenge is to adopt automation! There are multiple ways in which automation can be achieved in cloud. This could include building MVP (Minimum Viable Product) in an automated fashion leveraging Infrastructure As a Code (IaC) and hyperscaler provided automation capabilities, embedding automated security in DevOps lifecycle and most importantly building the right set of playbooks to identify and detect potential security issues or incidents and reconfigure your cloud environment leveraging APIs. 

The way forward for cloud security

Security needs to be an enabler to the business rather than a hindrance. Organizations need to understand the tradeoff between a proactive and reactive approach and have a combination of both while defining their strategy for cloud security. Embrace a shift left approach to make sure applications are developed and managed in a secured fashion in the cloud. Look at applying a combination of some of the recommendations to make your cloud journey secure and build a culture of frictionless security in the cloud.

Industry :

About the Author(s)

Underground or in the Cloud: The Reality of Risk

Siva VRS
GM & Global Head – Cloud & Infrastructure Security Practice at Wipro's Cybersecurity and Risk Services

Siva is responsible for building security practice, solutions, consulting, delivery and overall strategy. He has over two decades of global experience in heading sales, practice, alliances, consulting, and delivery. 

Underground or in the Cloud: The Reality of Risk

Bhaveshkumar Bhatt
Practice Head – Cloud Security Practice at Wipro's Cybersecurity and Risk Services

Bhavesh is a cybersecurity professional with more than 20 years of experience covering business strategy definition, solution build, design and offering development, along with program and delivery management across industry verticals.

Related Blogs

blog image

Risk in the ESG Age

A tidal wave of ESG regulations is looming across markets. To prepare, companies are shifting responsibility for sustainability management and reporting to the risk management domain. Risk executives are investing in enhancing their governance, risk management, and compliance (GRC) systems to account for ESG factors.

Abraham Orden May 27, 2022
blog image

Exchange of Cyber Threat Intelligence Among Peers Using Decentralized Identity Networks and IoFT

The ability to exchange cyber threat intelligence (CTI) in privacy preserving and in a secure manner is vital for enterprises to manage their security risks effectively.

Vinod Panicker March 03, 2022
blog image

Cybersecurity through collaboration

During the pandemic, dependence on digital technologies has seen unprecedented growth. From managing remote workforces to catering for changing customer expectations, the paradigm shift towards digital has brought a host of security challenges.
Dennis Joshua December 06, 2021
X

popup-image