What started as a relatively simple extension of traditional security principles into ‘the cloud’ has become far more complex as cloud vendors introduce bolt-on security services, siloed in their native environments. COVID-19 has compelled enterprises to ramp up cloud-based working, which means data sets and applications are spread across generic public cloud, the so-called ‘Secure Public Cloud’ and private equivalent versions. The original vision of a move ‘to the cloud’ has evolved into today’s world where organisations routinely use more than one cloud provider – a hybrid/multi-cloud approach. Things get confusing when contracts include security monitoring services delivered by different stakeholders ‘baked in’ to siloed systems. So how can Boards understand their overall security risk?
Every organisation must bring these environments, applications and datasets to a common standard and integrated security posture, rather than leave them as standalone pieces. As the threat landscape evolves, cyber security must be orchestrated to enable digital transformation.
Security in the post-COVID-19 era
Making sense of the new normal brought about by COVID-19 has profound implications for future modes of work. Many enterprises such as healthcare organisations have upended technology roadmaps, achieving lasting changes in weeks that would previously have taken years, including far-reaching deployment of Microsoft 365 with video consultations and digital workflows replacing wet signatures at pace.
While much of this is positive in the unprecedented context of the pandemic, to what extent must new working practices be re-validated with due diligence including security risk assessment? Digital investment complicates the security challenge since COVID-19 ways of working demand both scale and security to ensure organisations get the resilience they need to survive.
New security questions
Today, sensitive data is produced, collected and shared everywhere. How do Boards ensure that the right security is in place to protect that data and safeguard their reputation? The answer must be to enforce secure sharing of sensitive data both within and between different cloud environments, in line with how the needs of the business have changed since COVID-19.
It’s important to understand how an organisation has applied cloud-based ways of working. For example, what new responsibilities and functionalities have been given to both employees and customers? These aren’t just security or even technology issues; COVID-19 has changed business decision-making on how all stakeholders get what they need from an organisation. Nowadays, customers, staff and shareholders expect to fully connect with their business digitally.
The National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security and its 14 Cloud Security Principles offer organisations a methodology for investing in the right security controls in the right places quickly, while laying the foundations for future-proofing IT infrastructures as artificial intelligence technologies advance.
Digital solutions for cloud security
Orchestrating security across the true footprint of an organisation’s digital operations. Boards must invest in security risk mitigation across all cloud environments, SaaS applications, internet access, mobile users and remote locations through a cloud-delivered model. This means being able to predict, prevent, detect and autonomously respond to security and compliance risks without disrupting how users, developers and network administrators perform their work.
Safeguarding how data moves across cloud environments between users and the services they access. Cloud Access Security Brokers (CASB) enable organisations to manage user access privileges, enforce data migration controls and gain insight into which cloud services are in use across the entire organisation. They show user activity and data-sharing over time, effectively establishing a baseline and alerting on what can then be identified as anomalous behaviour.
Rapid threat diagnosis and context-aware interpretation so that organisations can monitor, predict and pre-empt cyber threats as they emerge. As threat analytics becomes faster and more insightful by using artificial intelligence to learn from each security alert and incident, Security Orchestration Automation and Response (SOAR) enables automated playbooks to take immediate action to reduce Mean Time to Respond (MTR) metrics. Human intervention and analyst tradecraft remain crucial so Boards should invest in tools to do the heavy lifting, thereby releasing expensive human resources to concentrate on issues that require human decision input, such as investigation and remediation tasks.
Cyber security ecosystem
Key to success is to create a cyber security ecosystem that operates end-to-end. This means not just integrating IT infrastructure, but also the contracts and business decision-making to align security strategy with policy, systems design and commercials associated with incident resolution. Organisations now have an important opportunity to review what has changed since COVID-19 began, to inform both their choices and risk appetite to prosper in the future.
Whatever partner and supplier arrangements Boards choose to make, security must be orchestrated around how the business operates, not just what the IT infrastructure looks like. In a post-COVID-19 world, security is baked into how risk and operational resilience are managed across the business, not a simple add-on to existing commitments.