Secure cloud transformation: Five foundational pillars

By David Guest, Solution Architect and Technology Evangelist at Kocho.

  • Tuesday, 18th October 2022 Posted 2 years ago in by Phil Alsop

Cloud deployments are booming, largely thanks to advances in digital technologies and the need for companies to support remote and hybrid working; trends which were both accelerated by the Covid pandemic. The Office of National Statistics reports that 85% of employees now expect options for hybrid work, confirming that demand for flexible cloud-based services, which employees can access from anywhere, will remain buoyant even as memories of the pandemic fade.

However, these new digital and cloud-based services are raising the level of alert around cyber security threats. With no traditional perimeters to defend – and with a growing reliance on third-party cloud service providers – businesses may find it more difficult to identify and thwart threats. Yet, organisations that halt their digital transformation plans because they fear they are too risky, will find themselves falling behind their competitors. For example, Gartner forecasts that, by 2025, cloud native platforms will provide a foundation for over 95% of new digital initiatives. There’s simply no avoiding the cloud for companies that are focused on innovation and driving efficiency gains.

With the perimeter gone, cyber security teams face new threats so need to adopt new techniques to meet this challenge. One approach is to introduce and follow the secure cloud adoption framework (S-CAF). Based on the following five key pillars, this framework addresses all the main aspects of cloud security, namely:

Pillar 1: Zero-trust Zero Trust assumes that all users, devices and activities are malicious until proven otherwise. This may sound extreme, but with threats and exploits appearing much more rapidly than fixes and patches, a ‘trust no-one’ approach is required to ensure all user requests, whether they are unusual or routine, are authenticated.

Pillar 2: Strong detection and response

With cyberattacks growing in both number and sophistication, it is perhaps inevitable that hackers will, on occasion, breach organisations’ infrastructures. In preparation for this, it is important to bolster detection capabilities so threats can be detected early and mitigations can take place before any serious or long-lasting damage is done.

Pillar 3: Protect all assets Companies must also introduce appropriate policies and processes that cover all of their assets for all of their respective lifecycles. Looking at these policies through the lens of cyber security, assets requiring protection include all software, hardware and corporate data, wherever it is held.

Pillar 4: Governing identities Having a precise overview of every user’s access permission is pivotal too, but this can be a

challenge, particularly for larger organisations that will have a steady stream of employees leaving, joining and moving roles. Speedy governance of access rights decreases the window of opportunity for employees to abuse the system, regardless of whether their behaviour is intentional or inadvertent.

Pillar 5: Extend innovation to security A digitalisation project might be seen as a one-off event, yet cyber security should always be considered a journey rather as a destination. As such, DevSecOps becomes a fundamental requirement.

DevSecOps explained

Navigating a successful digital transformation programme that is based on the S-CAF model requires the incorporation of security controls and measures in every area of an organisation’s operations. This is where DevSecOps plays a key role, offering an economical approach to safeguarding systems from attackers. For cloud environments, which are often procured by lines of business without the IT department’s knowledge or scrutiny, DevSecOps is an absolute imperative, as it ensures misconfigurations are the identified and remediated in the shortest possible timeframe.

In order to successfully integrate DevSecOps into their operations, businesses need to analyse and continually re-analyse their entire infrastructures from the moment they embark on of their transformation journeys. These ongoing assessments must extend beyond data to take into account how employees utilise organisational assets, be they digital or physical. Adding DevSecOp polices at the architecture level is also important, as it means policies can evolve alongside a cloud transformation programme, ensuring growth is not hindered by outdated guidelines.

DevSecOps grants processes to be dynamic and tailored to each business, with consideration of its individual requirements, infrastructure and specific applications. Consequentially, activating the necessary security controls when migrating from on-prem to single or multi-cloud architecture is the key to developing those areas. Covering the technical assets should be done first before integrating concepts such as Zero Trust, and equally taking care of threat detection, identity, and governance can be done further along in the cloud transformation journey.

Conclusion

The S-CAF model is not the only option available to reduce the security risks associated with switching to the cloud, but it is an inclusive, balanced and effective approach. The five foundational pillars can be applied to organisations of all sizes, operating in any industry, while providing security teams with a solid yet flexible framework that should help them counter both current and future challenges.