Cloud Security Best Practices

Now more than ever, organizations need to prioritize a “cloud first” approach to enable their businesses to transform with agility, at scale. But every new public cloud instance has the potential to create a security storm. The default settings for a new cloud instance are unlikely to satisfy even the most basic security requirements of any business operation.

According to Accenture, while the cloud offers new opportunities to modernize services and transform operations, less than 40% of enterprises are achieving the full expected value from their cloud investments.

Security and compliance risks remain the biggest barriers to cloud adoption. Combined with difficulties in proactively addressing the complexity of secure configuration and a lack of skills, these challenges can be major obstacles to a journey that prioritizes the cloud.

What should business leaders do?

1. Design and implement basic security controls to create a secure landing zone on the cloud solution provider’s platform;
2. Design secure PaaS models for reusable cloud solution providers with built-in security controls;
3. Combine the platform and services to bring together the customer’s existing enterprise security tools with operational processes and procedures.

How?

1. By specifying which roles are authorized to operate in the environment and what they are authorized to do;
2. By investing in secure connectivity to local data centers, using a “hub and spoke” network security model;
3. Securing landing zone configuration policies by enforcing cloud service provider platform security controls.

Cloud security can enable better business outcomes by being:

1. Fast: using native cloud service provider accelerators that allow security features and controls to be deployed in minutes or hours, rather than months.
2. Frictionless: Incorporate security into existing solutions, business processes, and operational teams.
3. Scalable: Apply automation and self-healing processes to reduce manual steps and break out of the employee augmentation resource model to allow organizations to scale.
4. Proactive: Establish preventive controls to block accidental or malicious security incidents from occurring.
5. Effective in reducing costs: in-house security from the outset to avoid the additional costs arising from the need to redo work.

“Certainly, everyone wants to be secure, and companies should always sin by excess, not by omission,” comments Ryan Wickham, managing director of Infrastructure Services at the consultancy. “But ‘it’s important to try to do this in a way that doesn’t affect application performance and ultimately the user experience”, he adds.

Gartner projects that by 2025, 99% of cloud security failures will be the fault of customers, not vendors. Errors that often can be attributed to misconfigurations. With the average cost of a cloud breach rising, it is clear that cloud cybersecurity must be addressed thoroughly and quickly.

Many enterprises do not understand the shared responsibility model of the cloud. In addition, variations in tools, features, and policies among cloud providers can complicate things.

According to a recent report on the state of cloud-native security, 73 percent of enterprises still struggle to properly define the security responsibilities of their cloud security provider and their own. The same report also noted that three-quarters of companies surveyed have cloud security tools and solutions being overrun by threats.

In the opinion of the Accenture team, security professionals must ask the right questions from the start: Buy versus build? How much native? How to choose the right models and partners? How to ensure secure interoperability between cloud and legacy? When to replicate security controls instead of abstraction, and how to drive consistency in security operations?

These are all questions that need to consider in advance of the journey to the cloud. And while mitigating risk and protecting data in the cloud is a priority, security must be incorporated consistently. Often, it is added only at the end of the journey and ends up impacting business results.

Make no mistake, migration to the cloud is complex. It needs a formal strategy and strong governance. But the rewards are many and worth it: your company can enable security features and controls in minutes instead of hours, and act without friction. You can be more proactive in preventing malicious security incidents. And scale up quickly by applying automation and self-healing processes to reduce manual steps.

Still, in the opinion of the Accenture team, the following four steps can guide any journey that prioritizes the cloud and introduces security at speed and scale from the start.

1. Know the right cloud security posture for the enterprise. Quickly identify gaps and establish a risk-aligned architecture and roadmap for basic cloud security that optimizes current technology investments.
2. Automate native security. Automate the deployment of security protections with pre-built accelerators for cloud-native services, including AWS, Microsoft Azure, and Google Cloud.
3. Be proactive with compliance. Optimize detection and streamline cloud security operations. Mitigate risk with cloud service providers (CSPs) to align with regulatory requirements.
4. Employ security monitoring and response. Monitor the public cloud cost-effectively and at scale, using security tools and use cases to address evolving threats and complex regulatory requirements.