Disruption on High: Managing Cyber Risk in a Multicloud World
Digital transformation is happening and with it comes the pain of disruption. For many organizations around the world, it looks like this: your workforce is increasingly mobile, employees are using a variety of devices to access your network, and utilizing potentially an unknown amount of cloud services and applications. In addition to your workforce and IT systems changing, the solutions deployed in your environment are also changing how you interact with your customers. As you digitize, you are likely developing your own software, applications and analytics in order to function efficiently in a modern, multicloud environment. This is the new normal. According to IDC, 85% of cloud adopters are using multiple types of cloud deployments. What started out as a way to save money, has now become a strategic initiative for transforming businesses and enhancing experiences for both employees and customers.
With this transition to a multicloud world, fundamental cybersecurity assumptions are changing and that means defenders must think and act differently across procurement, solution requirements and operations.
You Can’t Protect What You Can’t See
While not a new problem, many organizations still do not have a clear understanding of just how much they’re consuming in the cloud (the average large enterprise uses about 730 individual cloud services and capabilities). Being able to determine which services and vendors are being used and subsequently which are the riskiest is crucial to your overall cybersecurity strategy. There are a broad and capable set of tools to provide visibility into cloud network traffic that can identify new services being used by employees. By understanding how employees use cloud services and applications can help reduce risk and exposure, from that information we know what to monitor and how to be prepared for a strategy that focuses on risk and resilience. After an organization knows the cloud services it is consuming and how it is being used, it can start to view and manage it like any other asset as a part of a holistic cyber risk framework. For example, investing the most time, money and resources to protect an area that is most vulnerable or is at high risk – monitoring it and preparing to detect and recover from attack.
Whether You Buy it or Build it…Risk Happens
In addition to consuming services from the cloud, businesses are also increasingly developing their own software as a part of their larger digital strategies. Commonly, they are using cloud services, or “cloudy” technologies and processes to do so. As a former software engineer, I know first-hand that IT and engineers will naturally gravitate towards the most modern ways available to build applications today. From containers to microservices to continuous integration/delivery, not only are businesses embracing clouds, they are embracing many of the modern underlying technologies and services prevalent in clouds today. Regardless of consuming external cloud services or building your own technology internally – they overlap at the same place – with concerns over security, trust, data protection and privacy. Which means even if you build it yourself, you cannot get away without injecting security, data protection and privacy into the core of all of your development practices. If you do not, ultimately, not only will it affect the risk management of your business, but your customers will soon start to demand that their vendors conduct, manage and are transparent about how they manage cybersecurity risk.
Enforce Policies and Change Employee Behaviors
I find many organizations struggle to modify policy and governance quick enough to keep up with the pace of their employees adopting new cloud capabilities. Just because your governance hasn’t kept up with the times, doesn’t mean your employees are not already using new cloud services. Hence the need to get visibility into your cloud network traffic. After you have a full picture of what you are consuming, clear development processes on how to build it yourself; a key component of risk mitigation is with data and privacy policies and processes. Simply put, employee training ultimately aimed at changing culture. For example, at Cisco we realized our employees were using various cloud services to store data. To minimize the risk of using untrusted services, we enacted a company-wide policy for a preferred vendor and encouraged employees to adopt this service. We integrated the service into Cisco with a single-sign on for a seamless end user experience. In conjunction, we also enforce data protection education and training so that our employees know how to classify, label and protect data as well as how to identify and report a potential breach.
Fundamentally, it all comes down to visibility, risk evaluation, and proper modern governance. We know there are a number of challenges for all organizations as they utilize a more nimble and mobile workforce and enhance customer facing offers. But with proper planning, strong controls and using scalable cloud-based security technologies, organizations can reduce their overall risk while also dramatically increasing the security posture of the environment as a whole.