The way business is conducted has undergone a rapid change in recent years, with an increasingly strong emphasis on immediate anytime, anywhere access to essential resources. Migrating applications to the cloud presents one of the most effective ways of meeting this demand. Through the cloud, organisations are able to pursue mobile working strategies that empower employees to work at full capacity regardless of their location, while simultaneously improving both agility and cost efficiency by reducing their infrastructure overheads.
With a large and ever-expanding market of cloud providers available for practically any task, most organisations have incorporated a multi-cloud approach. Around 81 per cent of companies using public cloud infrastructure are using at least two different providers, according to Gartner.
A multi-cloud approach can provide an enterprise with great flexibility, as new resources can be freely added or scaled back as the situation dictates. However, as with all technological innovations, moving to the cloud comes with its share of challenges, many of which are multiplied along with the number of providers being used.
A new layer complexity is added when it comes to locating and securing dispersed data housed in numerous environments. Ensuring compliance with data privacy and security regulations also becomes a more convoluted task, as organisations must account for data being held with different providers, potentially in locations around the world.
Organisations using a multi-cloud approach must ensure they align their strategy and chosen providers with their risk profile, as well as taking the time to put in the necessary consideration, planning and communication to maximise the benefits and minimise the potential risks.
Vetting cloud-based third-party providers
Conducting business in the cloud necessitates putting a huge amount of trust in the third-party providers hosting the service. Entrusting sensitive data to a poorly secured cloud host is an open invitation to a data breach. This means it is essential that enterprises undertake thorough vetting for all cloud providers they choose to work with.
Nevertheless, it is common to find that this essential due diligence is not carried out effectively. There are multiple reasons for this shortcoming, with one common issue being a lack of resources in the security team. Netskope’s 2019 Cloud Security Report found that a lack of qualified staff is one of the biggest challenges for security operations centres. The report also found that roughly half of cybersecurity professionals consider cloud-enabled security to be one of the most valuable areas for ongoing training and education.
It is also common to find that security leaders are left in the dark when new cloud providers are brought on board. Third parties that have been introduced via departmental channels for example, may be added to the environment while skirting around normal vetting processes. Businesses may also may not even consider large cloud infrastructure providers such as Microsoft Azure, AWS, or the Google Cloud Platform to be third parties at all, and therefore fail to vet them with the same scrutiny.
No matter how the cloud service was introduced to the enterprise, all new providers must go through the same standard checks to ensure they have adequate security measures in place.
Firms that already have a third-party or vendor risk management process in place can use this as a solid starting point. Regardless of the specifics of dealing with the cloud, the fundamentals of third-party risk management still apply and will go a long way in ensuring cloud vendors are vetted effectively.
Focusing on security
The most important aspect to concentrate on when assessing a third-party cloud is how it will interact with your data, and what kinds of risk that poses. Will the vendor be handling sensitive credit card data, personally identifiable information (PII), intellectual property or other business critical assets? Are there any specific compliance regulations such as the GDPR, CCPA or PCI DSS that will be applicable to this data?
Following this assessment, the enterprise should be in a position to judge whether the provider has the security measures in place to keep these assets safe and compliant with the regulators. If the cloud vendor is able to match the organisation’s security demands and falls within its appetite for risk, it can proceed.
It’s also important to integrate this risk assessment into the contracting phase. It may be possible to change certain terms or contract details to reduce the risk and ensure the cloud vendor isn’t sidestepping its responsibilities.
However, no matter how thorough the vetting and how well constructed the contract, organisations should always assume they are the ones that ultimately carry all the risk and responsibility for their data. The owner of the data will always be the one to suffer fines, reputational damage and customer loss.
This point has become particularly important as more data privacy and security regulations have come into play. The GDPR and CCPA both explicitly state that an organisation is still on the hook for any breaches involving the data it owns, regardless of the involvement of a third party.
Choosing between native or non-native cloud security tools
There are cloud-based solutions for almost any business task today, and that includes cybersecurity. Alongside choosing their third-party cloud providers, organisations are also faced with the decision to use cloud-native tools to secure their cloud environment or stick with non-cloud-based options. Both approaches have their own pros and cons and the decision can have a long-term impact on how the organisation addresses cloud security as it continues to grow and develop its cloud strategy.
One of the biggest priorities should be to reduce complexity, particularly when it comes to multi-cloud environments. Cloud-native tools are often localised for specific cloud platforms and may not be easily adapted for others. Non-native security solutions that can be configured to deal with multiple different clouds simultaneously can be beneficial in a multi-cloud environment, delivering savings in cost and time. Even if an organisation is only using a single cloud at the moment, there’s a high chance this will change, so it’s important to think ahead and pick a solution that can deal with multiple clouds in the future.
Conversely, native cloud tools also help in reducing the complexity for the security department because they keep a lot of the work and function of a team within the cloud environment. This approach reduces the need for the security team to grapple with new tools, as native tools do not add further platforms and are designed to work seamlessly with the corresponding cloud environment.
Selecting the right third-party cloud provider and the tools to secure these environments are not decisions to be taken lightly. Each addition to the network should involve a careful and deliberate vetting process. This should account for the organisation’s internal risk tolerance, the potential impact of a security incident, and the effects on the organisation’s operations in both the long and short term. These decisions will have a major influence on the enterprise’s digital transformation journey. Focusing on cyber-resilience will help to ensure the organisation is free to grow and develop, including embracing a multi-cloud approach, without exposing itself to unnecessary risk.
Mattias Deny, VP Managed Security Services EMEA, Trustwave