The Art of Securing the Cloud Ecosystem: Why it’s Time for Change?

Written by Trend Micro 

Times are changing pretty fast and the corporate network perimeter, and all the certainties it guaranteed for cybersecurity professionals is gone. Today it has been replaced with a more fluid, dynamic environment designed to support digital transformation efforts and drive innovation-fuelled growth for the business. This new IT world revolves around hybrid cloud systems, microservices architectures, DevOps and infrastructure-as-code.

But with these seismic shifts in the way we do IT comes major changes in the way business-critical data and systems must be secured. This will demand a new approach to manage risk in a cloud-first world.

A new era

There’s no doubt we now live in a cloud-centric age. The benefits of the cloud are by now well understood, combining IT efficiency and flexibility with cost savings and scalability. This empowers organisations as diverse as utilities, retailers and even healthcare providers to optimise business processes and improve employee productivity, as well as offer innovative customer-centric services to drive growth.

Peel back the surface of corporate IT systems today and you’ll see a complex heterogeneous mix of legacy physical servers and multiple hybrid cloud systems. To help manage this complexity, organisations are turning to containers and microservices to help them better integrate hybrid clouds and develop new applications more efficiently.

Where challenges arise

This radical transformation in the way IT is delivered and managed comes with a new set of risks. The cloud providers themselves have great in-house teams and their datacentres are accredited to the highest security and operational standards. But security is not all their responsibility.

Although cloud computing allows organisations to outsource much, they cannot outsource responsibility — a fact confirmed by GDPR regulators. In reality, the cloud ecosystem is becoming as complex, if not more so, than the on-premises one it is starting to replace, as firms build out environments across multiple providers.

In some cases, cloud providers themselves add extra complexity. Every week or two another organisation hits the headlines for failing to secure a sensitive cloud database, effectively exposing information to the public-facing internet. In-house teams simply aren’t adept at correctly configuring such accounts from the myriad of options they’re presented with.

A dynamic problem

This isn’t the end of the story for IT security bosses. The new cloud world is volatile and fast-moving — demanding a step change in how they respond. Cloud workloads are dynamic in nature, for example, creating problems that traditional security processes and tools are ill-equipped to tackle. How do you keep track of these fast-changing workloads? Today you might have a simple webserver which doesn’t require much protection, but tomorrow it could form part of your highly regulated e-commerce environment. Adapting your security posture to keep up with such changes is a major challenge.

Time for change

What does all of this mean for your organisation? It means that cloud adoption must go hand-in-hand with cybersecurity. A good place to start is to understand the shared responsibility model, picking apart your cloud contracts so that it’s 100% clear which parts of the cloud environment your organisation must secure. Next, look to Cloud Security Posture Management (CSPM) tools to help provide that crucial insight into your existing infrastructure and where key misconfigurations have been made. Consider also utilising the power of infrastructure-as-code for security, with API-driven services that embed controls seamlessly into DevOps pipelines, to detect threats prior to and during runtime. Finally, having one platform in place that collects and correlates activity across endpoints, email, servers and cloud workloads will allow for a superior level of detection and protection.

There’s no going back to the certainties of old. Organisations must therefore embrace the new, and find a way to minimise cyber risk without impacting innovation and business growth.