Skip to main content

Deriving best practices from a security-first, cloud native mindset

(Image credit: Image source: Shutterstock/bluebay)

If there’s one thing we can say about the cloud, it’s that it’s always evolving and continues to be disruptive to the enterprise. Although the cloud industry has matured, the cloud’s ever-changing nature means that organisations must continually evaluate their assumptions. This is useful, not just because the number of cloud vendors and offers continues to expand—the industry is set to grow by almost another 100 billion dollars in the next two years—but because as cloud merges with the enterprise, the regulatory landscape is changing to reflect this.

Amidst the sea of change, one of the only constants is the risk of data loss, either as a result of cloud threats or human error. According to Gartner, “through 2025, 99 per cent of cloud security failures will be the customer’s fault.” This statistic is borne out by headlines as recently as this year, like Microsoft’s January breach disclosure impacting 250 million customers. The frequent nature of these terrifying incidents has prompted many to ask if the cloud is secure. This deceptively simple question obscures the complexity of cloud environments as well as the commitments that both customers and vendors share in securing the cloud.

How secure is the cloud?

Although it sounds counterintuitive, asking if the cloud is secure is the wrong question for organisations to focus on. The truth is that the cloud, like every technology before it, has risks. As was the case before the cloud era, security is something that needs to be deliberately implemented and maintained through the use of tools, policies, and enforcement. While it’s true that cloud application developers and service providers have a responsibility to make security controls accessible to users, they are not responsible for implementing the configurations appropriate for your organisation’s specific compliance and security obligations. 

As far as the cloud’s susceptibility to attack, given that hackers tend to be efficient creatures, the steady availability of misconfigured and unpatched cloud systems is low-hanging fruit far too enticing to ignore. Essentially, in the cloud there’s no hope of security through obscurity—if your organisation is not actively thinking about how to secure cloud systems and maintain data visibility, there’s little reason to assume that your data hasn’t already been compromised.

Developing the right mindset for cloud security

Rather than asking if the cloud is secure, organisations should change their mindset about the cloud. Cloud security isn’t about migrating into an already secured environment, but about understanding the steps you need to take to secure your cloud. Having this understanding won’t guarantee that cloud migration will be smooth sailing, but it’ll be critical to your ability to properly anticipate cloud risks and respond to them quickly.

Cloud security initially starts with the adoption of a “security-first” mindset. This involves thinking about security in tandem with thinking about how to implement your cloud architecture, which can run counter to the business pressures that push departments and whole companies to migrate to the cloud. Consider, for example, that only 32 per cent of organisations employ a security-first approach to cloud data storage. This is why, ideally, the first conversations around the adoption of a new cloud service or product shouldn’t be how it fits into your organisation’s budget, but rather if it fits into your organisation’s security and compliance goals. In the long run, if you’re unable to secure a technology, then it doesn’t matter what the business case is or how affordable and easy to deploy it is given the costs of security failures like data breaches. Organisations that take a holistic, security-first perspective on cloud migration will likely be better able to comply with privacy regulations and respond to security risks.

The other perspective that’s crucial to cloud security is a cloud native mindset, which is to say that organisations that adopt cloud services must stay abreast of technologies and techniques specifically adapted to the unique security challenges of the cloud. Cloud threats differ in many ways from more traditional security threats and the rise of multicloud means that organisations need security solutions that are adaptable and agnostic if they wish to maintain visibility and control of their data across cloud systems. A cloud native mindset encourages organisations to address cloud security problems more efficiently with tools built for the cloud.

Putting it all together

A security-first mindset, coupled with a cloud native mindset, can provide a great starting point for organisations wanting to migrate to the cloud securely. While the particulars of your security strategy will ultimately depend on your organisation’s industry, operating procedures, and regulatory burdens, developing these mindsets can provide high-level insight into some of the most important best practices for building a robust and securable cloud architecture.

  • Consistency is central to cloud security

If cloud security could be reduced to a single word, that word would be consistency. The key to cloud security is first implementing rules and policies designed to protect your data, and then ensuring that your architecture is designed in a way to ensure that these policies are maintained. In an ideal world, all of this would exist before your organisation considers a cloud migration. However, sometimes organisations might not have this luxury, as occurrences like shadow IT may lead to cloud security failures. At its worst, shadow IT can result in a disparate “multicloud” environment that might be hard to secure without a strategy. While fighting shadow IT may prove difficult, if not impossible, it doesn’t mean that you’ll have to abandon hopes of securing your data in the cloud. Wherever possible, make sure that you have data and IT governance policies that are transparent, flexible, and can be used to enforce a degree of consistency across your cloud environments.

  • Always have eyes on your data

At the end of the day, what matters is whether or not your data is secure. Having data visibility in cloud environments is therefore paramount. As your cloud architecture grows in complexity, data visibility should be baked into your governance policies. Your organisation can consider investing in technologies like data loss prevention tools to ensure that both visibility and other data policies are maintained in the cloud.

  • Look for tools that integrate directly with your cloud architecture

Given the complexity that exists within modern cloud environments, deploying cloud native tools makes the most sense. Effective cloud native tools typically include features like automated responses to security incidents in the cloud as well as consistent visibility across all of your cloud environments.

Ultimately, prioritising security over ease of adoption and ensuring that your cloud architecture is optimised for data visibility should always be key aspects of your security framework, and a security-first, cloud native mindset will help you remember this.

Michael Osakwe, Content Marketing Manager, Nightfall AI