The Path to Trust and Security in the Multi-Cloud Era

The cloud is part and parcel of practically every organisation today, observed the CISO from the maritime industry who moderated a roundtable discussion of CISOs recently. Moreover, multi-cloud deployments are increasingly a must-have, for reasons such as the segregation of regulatory risks, he noted.

Titled “The Paradox of Trust: Balancing Data Security and Cloud Collaboration” at GovWare 2023, the invite-only roundtable was hosted by Thales, and saw cybersecurity leaders discussing the importance of trust and data security as organisations turn to cloud collaboration.
 

The importance of trust

The importance of trust was highlighted when a CISO pointed out how skyrocketing scam cases are eroding the trust of the population. While some threat intelligence services can help when it comes to finding fake websites, they are unable to do anything about the proliferation of smartphone malware. 

“I wondered if someone could help me monitor [for smartphone malware]. My developers tell me: ‘It’s not my problem; it’s not even my app’. But whose problem is it when apps bearing the likeness of our brand proliferate or scammers pretend to be from our organisation?”

In addition, what happens when organisations push ahead with AI adoption without thoroughly examining its implications first? On this front, one CISO shared about his organisation’s full-court press with generative AI.

“Our management doesn’t just want to see things implemented, but they want to make sure that it is implemented using AI. They want to be seen using AI. So every product has AI in it. If there is some manual work, that's not the result they want,” he explained.

While there are undeniable use cases for AI, left unsaid are the many inherent – and unknown – risks of this nascent technology. The moderator summed it up this way: “From a cybersecurity point of view, a lot of information… is not suitable for dissemination outside the organisation. With AI, it is so hard to find balance.”

The allure of convenience

Another topic that surfaced was the allure of convenience and its tendency to foster a false sense of security over time. As one participant recalled, it was common some years back to lug along multiple physical bank tokens to access online banking services. Though virtual tokens worked well for a season, the mounting cases of smartphone malware have exposed its weaknesses. 

He mused: “How do you balance security with usability?” 

As observed by Alex Tay, the ASEAN Head of the Cloud Protection Business Unit at Thales, practices such as scanning QR codes have become an ingrained habit. He shared an anecdote of a friend who refused to scan QR codes, including at the restaurant. While humorous at first blush, it highlighted the incongruity of the current acceptance of a practice that was never ideal from a cybersecurity viewpoint.

QR codes aside, Tay noted that the onus is on organisations to adopt a secure by design approach, and not be nonchalant or ignorant about vital cyber security considerations. He cited secret management as an example.

“When we talk to organisations, they often tell us they are unsure or say they have left the decision to their developers. Yet developers will often say their focus is on developing the app, and that secret management has nothing to do with them. From a risk management perspective, this is a nightmare for all the CISOs in this room – I feel this is a disaster waiting to happen,” said Tay.
 

Securing the multi-cloud

Are organisations paying enough attention to securing their cloud assets? According to Tay, many CISOs had in the past left it to their cloud providers, which did not see a need to work with security providers such as Thales. This limited options, though the situation has completely reversed over the last few years.

Public cloud providers now see the importance of integrating with the broader security ecosystem, says Tay. This means the same controls can now be used to secure workloads across more than one cloud and seamless support for third-party solutions such as top enterprise software solutions could be added.

There is no question that the ability to manage security across clouds is increasingly vital as organisations start moving towards the multi-cloud future.

As one CISO shared: “We’ve been on Amazon Web Services (AWS) since 2014. We are now slowly doing some stuff on Azure. Until recently, it wasn’t much of a priority to have a single pane of glass across both clouds because it’s predominantly AWS.”

“We could use AWS’ public tools to see what’s going on in the past. But as we start building up using Azure, as well as roll out on-premises deployments, it has become a priority to find a way to manage everything together.”
 

Parting words

Ultimately, the presence of security controls is crucial for value creation. “You have all these data that can create a lot of value. If you don’t grant access to these data to your users, they will not be able to do analyses or improve, and the data is of no use. But with access, you need to at least ensure you have the right controls in place,” says Tay.

For organisations seeking to improve their data protection, Tay shared an anecdote of an organisation that he previously communicated with about some baseline data protection systems. But while the solution wasn’t costly, a desire to do a more substantive upgrade snarled the entire project, which grounded to a halt from decision paralysis.

Unfortunately, the organisation subsequently suffered a data breach. Would this have happened if the baseline systems were in place? It’s impossible to tell, but it is hard to deny that starting small in cybersecurity is infinitely superior to doing nothing.