Public cloud is a key strategic tool for many organisations, especially those that use it to introduce new products.
It provides a robust, reliable infrastructure and platform that doesn’t require significant upfront, capital investment from businesses. It dramatically reduces much of the risk that was previously associated with introducing new products because businesses no longer have to invest in purchasing, setting up, and maintaining that infrastructure.
Furthermore, public cloud lets developers move at speed and at scale. This is delivering unprecedented competitive advantages to organisations of all sizes and in all industries.
With the importance of public cloud indisputable and growing, it’s crucial for CSOs to be conscious of securing public cloud deployments. This means CSOs and security teams need to build stronger, closer relationships with product development and IT teams. Doing so will help avoid situations where those teams, excited by the possibilities, move forward with deployments that are potentially not secure.
Most CSOs are aware that public cloud providers deliver a high level of basic infrastructure security. In fact, many public clouds have a stronger security posture than private clouds. This is because public cloud providers have the budget and scale to invest in strong security tools and solutions.
This doesn’t change the fact that each organisation is responsible for the data and workloads they put in the cloud. On this shared responsibility model, CSOs need to be involved with product development early in the process to make sure security considerations are satisfied at all stages of product development. Ideally, a product should never reach an end user without a well-considered, strategic security approach built in.
This can seem overwhelming for organisations, particularly those that choose public cloud precisely because they don’t have unlimited resources to allocate to these initiatives. Adding a requirement for comprehensive security can seem like an unnecessary burden. However, in an era where cyberattacks are becoming both more common and costlier, being able to point to impenetrable security features in a product can deliver a significant competitive advantage for the organisation.
To achieve a strong public cloud security posture, organisations need to focus on five key elements:
1. Demonstrate the value of partnering with the security team
Development teams are often reluctant to work closely with security teams due to a misperception that the security aspect will slow down development or stymie creativity. However, development teams must also understand that prevention is far better than cure; having to redesign a product after it’s already been launched due to customers’ security concerns will invariably add time and cost to the project, and could damage the company’s reputation in the process.
It's therefore important for production and development teams to collaborate with security teams right at the beginning of a project. This collaboration should continue throughout the project and be considered business as usual when it comes to developing new products. Over time, this collaboration will become even more efficient and the net results will be seen once the product is in use and has demonstrated its security capabilities.
2. Understand the development lifecycle
Security teams need to understand how the production and development teams approach product development because it can vary wildly. By demonstrating an investment in understanding the development lifecycle, security teams can both improve their approach to implementing security controls within the product, and improve their cross-team relationships.
Security teams should ask for more information about the development process so they can offer useful recommendations. And, by flagging potential security concerns and measures that might be required during the discussion stage, security teams stand a better chance of gaining buy-in and cooperation from the development team when it comes time to build those security aspects in. This includes threat modelling, building the capabilities, identifying requirements for security testing, and planning for security monitoring once the product has launched. Addressing these issues upfront makes them easier to resolve throughout the project.
3. Incorporate testing
The only way to know whether a product is secure is to test it. Testing at a single point in time reveals only how secure the product is at that point. Instead, security teams need to let production teams know that they’ll need to incorporate security testing throughout the product development lifecycle, including after the product is launched.
Continuous testing is essential so that the developers can find the security issues before attackers do. Waiting until vulnerabilities are exposed by malicious actors puts customers at risk which, ultimately, puts the business at risk. It’s therefore recommended to continue testing even after the product is live in the cloud.
CSOs must remember that public cloud offers different types of services, each of which has a unique set of security implications and scenarios that must be tested and solved for.
4. Ensure continued visibility
Preventing cyberattacks is the key so it’s important to monitor activity. It’s also important to remember that the threat behaviour is often the same regardless of whether products are hosted in the cloud or not but it’s not always possible to use the same preventative measures that would work for on-premise workloads, for example. Conventional methods aren’t necessarily appropriate, so it’s important for security teams to tailor measures specifically for the cloud and to ensure continued visibility.
Without visibility, it’s extremely difficult to identify and prevent attacks, especially as they become more sophisticated. It’s crucial to have the right logging and monitoring capabilities in place from the very beginning, then leverage automation and other emerging security tools and processes.
5. Develop a comprehensive response plan
Cloud security should no longer be an afterthought in any organisation. In fact, it should be a clear priority set at the board level because the ramifications of a successful cyberattack can be massive, both financially and reputationally. This puts cybersecurity firmly in the realm of risk management for boards. Security teams must have an open dialogue with c-level executives and the board so they can work together to identify and manage cyber risk.
Part of this includes developing comprehensive playbooks and an incident response plan to address and manage the scenarios that could occur. CSOs need to identify key stakeholders and determine how to engage them if a cybersecurity incident happens. Working with these stakeholders to keep the public cloud environment secure will help businesses operate without undue fear of cyberattacks.
Addressing these five elements will let businesses leverage the agility and flexibility of the cloud to bring new products to market faster and more securely, leading to an important competitive advantage.