By Ameya Khankar, Cybersecurity Consultant for Critical Infrastructure
Companies undergoing digital transformation have decided to take the plunge into modernizing their core product offerings. It can be an arduous process, but it gives organizations the unique ability to reimagine their business. They can implement modern digital best practices and set themselves up for continued success.
Part of that transformation process involves improving security. Companies undergoing digital transformation in 2023 likely aren’t secured for modern security threats, especially not in the cloud, and have the opportunity to improve those controls.
CISOs should prioritize improvement in cloud security controls and access management in the cloud environment. Lax cloud security and access management controls have verifiable consequences as highlighted by high profile data exfiltration events that have hit Fortune 500 organizations in the past few years.
In this article we’ll outline how digital transformation efforts prime security focused organizations for effecting change and why they should drive those changes.
Digital Transformation Efforts Prime Organizations for Continued Success
Digital transformation efforts are typically more than just lift-and-shift propositions, even if positioned as such. They frequently involve evaluating the business model and restructuring application architecture and refining elements of the code base to optimize them for cloud scalability and resilience. Doing so saves on unanticipated costs.
It’s an opportunity for CISOs to reevaluate security posture and improve on security controls. Cloud services often include robust security safeguards and infrastructure that need to be configured and managed appropriately for sustainable security environments. These cloud security measures are critical.
Placing assets in the cloud ostensibly opens new and broader potential for access if environments aren’t configured and secured appropriately. Erecting impediments to compromising sensitive data is important.
CISOs also need to ensure that the business continuity benefits of cloud hosting are realized. One of the main benefits of migrating assets to the cloud is the ability to failover to hot storage backups, scale those resources, and also have access to frequent cold storage backups. Failing to configure a cloud environment to utilize this functionality and its benefits may mean a missed opportunity with potential downsides.
Cloud environments also offer enhanced capacity for event logging and compliance monitoring. Major cloud services offer both and integrate well into numerous security monitoring and alerting infrastructure stacks. They also offer on-the-fly modification to compliance settings to ensure that sensitive and even highly regulated data is secured as needed. These compliance settings also streamline organizational audits by exposing relevant information to internal teams for monitoring.
Where CISOs can improve asset security and save resource investment, the result will be a foregone conclusion to improve security.
Significance of Cloud Security and Access Management
Cloud services are an essential aspect of digital transformation initiatives. Those services allow organizations to improve agile product delivery, resilience, scalability, and cost efficiencies. Cloud environments are complex and dynamic, making it challenging to secure them against cyber threats.
Cloud security refers to the set of practices and technologies designed to protect cloud-based data, applications, and infrastructure. The risks associated with cloud security include data breaches, misconfigurations, and insider threats which can lead to unauthorized access and misappropriation of information.
Access management is a crucial subset of cloud security concerned with ensuring that only authorized personnel can access the cloud-based resources, data, and applications they’re authorized to access. Access management involves the processes and technologies that manage user identities, permissions, and authentication and authorization to control access to cloud resources.
Identity and access management (IAM) solutions are a critical component of access management in cloud environments. IAM solutions provide centralized management of user identities, authentication, and authorization policies. They help standardize and enforce a canonical basis for access controls whether that is role-based, attribute-based, or relationship-based.
Multi-factor authentication (MFA) is another critical component of access management that can help mitigate the risks associated with weak passwords and unauthorized access. It’s become a de facto standard for mitigating authentication risks by requiring the use of an additional access token that should be unique to the end-user.
In some cases, on premises or collocated technology implementations can accommodate these technologies without a great deal of change. In other cases, they cannot. CISOs need to evaluate the security capacity of software technology to be migrated and modified in the context of their new environment. If those security measures aren’t feasible in the cloud or would be overwhelmingly difficult to implement, CISOs need to emphasize the criticality of focusing on the safeguards.
Why CISOs Need to Prioritize Cloud Security and Access Control
Many organizations don’t prioritize improved security measures. They also don’t focus on modifying access control schema. There are many perceived reasons why security ends up on the digital transformation back-burner.
First, cloud security is novel. Organizations with heavy on premises or collocated infrastructure aren’t experts in the new cloud security technologies available to them. Where organizations have to make an investment in training on revised architecture and application design to reduce costs, they may think that they don’t have to do the same with security. Bafflingly, they may make the decision that old security practices are ok when nothing else is old about the technology stack.
The impact is tangible: security practices that are outdated or ill-suited for a cloud environment can result in the compromise of that environment. This is an educational and political hurdle and one CISOs need to overcome by enlightening their technology peers about the pitfalls of poor cloud security posture. Additionally, that education needs to highlight the architectural complexity of “fixing” security after the fact.
Second, cloud security can become a cost function. Many organizations stop their evaluation without realizing that additional cost is minimized and the return on investment maximized when cloud security is implemented during migration stages. Conversely, that cost is maximized and return on investment minimized when security is implemented as an afterthought to the cloud migration effort. As highlighted above, cloud security may require re-architecture of the underlying migrated assets. Failing to address that during the migration will result in increased and duplicative costs.
Some organizations may decide the additional cost isn’t worthwhile. That’s a penny-wise, pound-foolish approach in the extreme. Failing to implement those cloud security practices leaves the environment open to attack which can result in extreme costs to remediate an attack and support client efforts to do the same. Cyber-attacks are a matter of when and not if, so it’s a foregone conclusion that a cyber-attack will happen. Preparing a solid defense pays dividends down the road in mitigating the blast radius of the attack.
Third, the best time to train a security team is during implementation of new resources. Training a security team after resource implementation, like a large-scale migration project, leaves the security team in the dark for how to best protect the environment and support infrastructure. That training failure ensures that industry standard security practices can’t be implemented and therefore the environment won’t be reasonably safeguarded. That’s critical, say, in a post-breach event class action suit where plaintiff’s counsel will want to understand whether or not those reasonable safeguards were in place.
Including security training credits or courses prior to a migration effort should be top of mind for CISOs. It’s unlikely a migration would be undertaken without some kind of training and cloud security infrastructure training needs to be included in that. Including security training at the outset also helps lock in predictable pricing for that.
CISOs need to rally and focus organizational leadership around the need for robust security and access controls at the outset of a digital transformation project. Those considerations should be developed and implemented in parallel with other transformation initiatives. Once the digital transformation project is complete, it may make accommodating adequate cloud security a difficult objective.
If adequate cloud security isn’t in place at the outset of a digital transformation project, it places those corporate assets at substantial risk. Organizational leadership needs to understand that the risks in a generally public cloud environment are more significant than the risks for on premises or collocated infrastructure and assets with easily definable ingress and egress points. Improper security and access configuration can proliferate access points and expose mission critical operations or information for compromise.
CISOs need to make a robust case for improved and modified security and access control considerations at the outset of a digital transformation project. Security and access in the cloud environment is qualitatively different than in an on-premises or collocated environment. The risks are also more substantial in a cloud environment, which is designed to facilitate broad client access.
Digital transformation projects are the perfect time to implement improved security measures. Other aspects of on premises or collocated assets will be modified to account for the new realities of cloud hosting. There’s no reason security and access controls shouldn’t be included in those efforts. CISOs need to advocate for those changes and ensure that they’re implemented. Those changes can make or break digital transformation initiatives.
About the Author
Ameya Khankar is a global expert in the areas of business technology and cybersecurity access management. His deep expertise in the area of technology risk, cloud access management, enterprise transformations, and digital governance has helped numerous global enterprises strengthen their cybersecurity posture and improve their risk management practices. Ameya has advised several F500 organizations in the past with defining their business transformation and enterprise security strategies. He has been awarded the prestigious Indian Achiever’s Award for Cybersecurity which is recognized by the Government of India and the Cybersecurity Excellence Award which is recognized by the National Institute of Standards and Technology (NIST) part of the U.S. Department of Commerce.