The Path to Trust and Security in the Multi-Cloud Era
The cloud is part and parcel of practically every organisation today, observed the CISO from the maritime industry who moderated a roundtable discussion of CISOs recently. Moreover, multi-cloud deployments are increasingly a must-have, for reasons such as the segregation of regulatory risks, he noted.
The importance of trust
The importance of trust was highlighted when a CISO pointed out how skyrocketing scam cases are eroding the trust of the population. While some threat intelligence services can help when it comes to finding fake websites, they are unable to do anything about the proliferation of smartphone malware.
The allure of convenience
Another topic that surfaced was the allure of convenience and its tendency to foster a false sense of security over time. As one participant recalled, it was common some years back to lug along multiple physical bank tokens to access online banking services. Though virtual tokens worked well for a season, the mounting cases of smartphone malware have exposed its weaknesses.
As observed by Alex Tay, the ASEAN Head of the Cloud Protection Business Unit at Thales, practices such as scanning QR codes have become an ingrained habit. He shared an anecdote of a friend who refused to scan QR codes, including at the restaurant. While humorous at first blush, it highlighted the incongruity of the current acceptance of a practice that was never ideal from a cybersecurity viewpoint.
“You have all these data that can create a lot of value. If you don’t grant access to these data to your users, they will not be able to do analyses or improve... But with access, you need to at least ensure you have the right controls in place.”
– Alex Tay, ASEAN Head – Cloud Protection Business Unit, Thales
QR codes aside, Tay noted that the onus is on organisations to adopt a secure by design approach, and not be nonchalant or ignorant about vital cyber security considerations. He cited secret management as an example.
“When we talk to organisations, they often tell us they are unsure or say they have left the decision to their developers. Yet developers will often say their focus is on developing the app, and that secret management has nothing to do with them. From a risk management perspective, this is a nightmare for all the CISOs in this room – I feel this is a disaster waiting to happen,” said Tay.
Securing the multi-cloud
Are organisations paying enough attention to securing their cloud assets? According to Tay, many CISOs had in the past left it to their cloud providers, which did not see a need to work with security providers such as Thales. This limited options, though the situation has completely reversed over the last few years.
Public cloud providers now see the importance of integrating with the broader security ecosystem, says Tay. This means the same controls can now be used to secure workloads across more than one cloud and seamless support for third-party solutions such as top enterprise software solutions could be added.
There is no question that the ability to manage security across clouds is increasingly vital as organisations start moving towards the multi-cloud future.
As one CISO shared: “We’ve been on Amazon Web Services (AWS) since 2014. We are now slowly doing some stuff on Azure. Until recently, it wasn’t much of a priority to have a single pane of glass across both clouds because it’s predominantly AWS.”
“We could use AWS’ public tools to see what’s going on in the past. But as we start building up using Azure, as well as roll out on-premises deployments, it has become a priority to find a way to manage everything together.”
Ultimately, the presence of security controls is crucial for value creation. “You have all these data that can create a lot of value. If you don’t grant access to these data to your users, they will not be able to do analyses or improve, and the data is of no use. But with access, you need to at least ensure you have the right controls in place,” says Tay.
For organisations seeking to improve their data protection, Tay shared an anecdote of an organisation that he previously communicated with about some baseline data protection systems. But while the solution wasn’t costly, a desire to do a more substantive upgrade snarled the entire project, which grounded to a halt from decision paralysis.
Unfortunately, the organisation subsequently suffered a data breach. Would this have happened if the baseline systems were in place? It’s impossible to tell, but it is hard to deny that starting small in cybersecurity is infinitely superior to doing nothing.