In the rush toward cloud-enabled agility, organizations can’t afford security mistakes that could undercut digital innovation efforts. That’s why IT and security leaders need to adapt traditional security postures to support, and secure, the new world of hybrid and multi-cloud environments. The goal: balance the drive for agility with a secure and resilient architecture.
As public and hybrid cloud environments gain traction, it’s become easier for business stakeholders to deploy applications and workloads in the cloud without IT assistance. While the paradigm shift enables a faster response to changing business needs, it also increases the likelihood that critical data and corporate IP is exposed beyond the secure perimeter of the traditional enterprise.
At the same time, the cybersecurity threat landscape has intensified. The Verizon Business 2021 Data Breach Investigations Report (DBIR) noted unprecedented security challenges over the past year, exacerbated by the global pandemic. The report cited increases in phishing and ransomware attacks and a significant rise in web application attacks — comprising 39% of all breaches this year — which underscores companies’ vulnerability when transitioning to a cloud-dominant environment.
Against this backdrop, it’s no wonder that managing security is the No. 1 focus of CIOs surveyed in IDG’s 2021 State of the CIO study, ahead of other core IT activities such as implementing new systems and architecture, improving IT operations and aligning IT initiatives with business goals. More than half (57%) said the current socioeconomic pressures had caused them to increase cybersecurity protections.
A key issue is that old-school information security checklists and sit-down security reviews don’t work in an era of agile development. “That approach worked when you were doing waterfall development and had six to nine months to deliver a program,” says Steve George, EY Global Chief Information Officer. “But now, with the advent of agile development and cloud, two weeks can be the whole project. You have to step back and think about security in a new way.”
Leading practices for balancing business agility and security
As organizations reexamine their security postures, there are a number of leading practices that can help balance agility and security in the cloud. Here are four to consider:
1. Employ a “shift left” approach to security. Perhaps the most important tenet for safeguarding hybrid and multi-cloud infrastructure is the embrace of security by design practices for software development. Instead of building an application and then looping in security operations to think about how to protect it, this new approach integrates security considerations at the onset — all the way back to the requirements stage, to determine the impact of security controls on employees or customers who will be using the app.
“Simply stated, it’s shifting security to the left, into the development organization where we traditionally haven’t been,” says Kris Lovejoy, EY Global Cybersecurity Leader.
Organizations are lagging in that shift. From the EY 2020 Global Information Security Study, just 36% of respondents said the cybersecurity team is involved in the planning stage of a new business initiative. Moreover, the study found that 77% of cybersecurity spending is defensive in nature, focused on risk or compliance rather than opportunity. “This isn’t about checklists to see if you did it after you’re done,” says George. “It’s about designing security into the build.”
2. Leverage reusable, trusted components. The cloud model is built around the concept of components, rather than monolithic applications, which can be reused to speed development and deployment of new services. From a security perspective, application components should be established as secure and made easily available to the development team. “From an architectural perspective, it’s the concept of reusability and the application of policy as code, similar to what we did in a mainframe environment,” says Lovejoy.
In that way, trusted components can be reused and mixed and matched to speed development and ensure security is integrated from the earliest stages. A formal component reuse strategy will nurture trust in systems, designs and data, enabling organizations to move beyond a reactive security posture to a proactive approach that reduces risks.
“It’s all about making sure reusable components work in your cloud environment, and if you can’t, then you need to sit down with the security architects and think about what’s going to be different with this application,” says George.
3. Find trusted cloud partners. Security is a shared responsibility between cloud providers and their customers, with providers securing the cloud infrastructure and customers responsible for securing their data and workloads running in the cloud. The major cloud hyperscalers offer subtle but important differences in their approach to shared responsibility policies. Make sure provider policies align with the specific workloads you’re looking to migrate to the cloud to best match your needs and tolerance for sophistication and configuration.
It’s also critical to think beyond initial set-up to ongoing security maintenance. “Security postures today have to be able to react to a world of dynamic change,” says Lovejoy. “There has to be an affinity between the environment you select and your development team, such that they can meet the organization’s mission and goals.”
Strong partnerships will also give organizations access to the advanced capabilities cloud providers have deployed to be more proactive about security. Artificial intelligence and machine learning are emerging as critical tools for cybersecurity for advanced threat monitoring, detection and response. Cloud providers have integrated these technologies to rapidly process high volumes of data to identify threats and automate responses to alert and, in some cases, mitigate threats. “Automation and monitoring have become absolutely critical as workloads are spread across different tech stacks,” says George. “You need systems that not only help you watch for issues, but also automatically take steps to resolve them.”
4. Continue to raise the security profile. Given an ongoing spate of high-profile data breaches and ransomware attacks, cybersecurity has become a pressing boardroom issue and a top priority for the C-suite. Yet the EY 2020 Global Board Risk Survey found that only 20% of boards are extremely confident current mitigation measures offer adequate protection from modern-day attacks. It’s up to the CIO and CISO to work collaboratively with C-suite colleagues and the board to communicate cyber risks and strategies in a language the business understands.
“As the world evolves, technology is changing so quickly, the attack avenues will only escalate,” says George. “The key message is, you’re never done. There is no end state. You have to keep reiterating through what’s new and what’s different.”
A proactive approach to security, supported by alignment across all parts of the business, can give business and IT leaders confidence that they can continue to capitalize on the promises of cloud-driven transformation without increasing risk.
For more information about how Ernst & Young LLP can help you unlock long-term value for your stakeholders and thought-provoking content for technology professionals visit ey.com/CIO.
Disclaimer: The views expressed by the authors are not necessarily those of Ernst & Young LLP or other members of the global EY organization.