FINAL WORD
For the third-party cloud vendors there is only so much a CIO can do . They will certainly go through their vendor risk management process , and perhaps be able to get additional data from the vendor . This feeds into the risk decision from the CIO and establishes if there is sufficient trust to share your data with this vendor .
If the sensitive data is stored within the CIO ’ s own applications , they have a wider range of tools available to meet the security requirements . Firstly , having a robust application security ( AppSec ) program and security architecture can reduce exploitable vulnerabilities . Going beyond traditional , must-have static application security testing ( SAST ) solutions , a mature AppSec platform that secures applications from code to cloud is critical . This , combined with robust logging and security analytics can provide robust data security in the CIO ’ s cloud environments .
A CIO often must accept the business they have , and that isn ’ t the business they wish they had . A CIO is a very busy person for any moderately sized organisation , so perhaps the most effective tool to protect sensitive data is simplicity . Minimise what is considered sensitive ; make the security requirements clear , achievable and measurable ; and establish a set of trusted vendors that you can rely on .
Underlying all of this , is ensuring that your organisation has a set of easy-to-understand policies around data security , and that your employees are trained . If everyone is on the same page , it makes this process much easier .
Trevor Dearing , Director of Critical Infrastructure at Illumio
As organisations continue to invest heavily in the cloud , the responsibility is falling on CISOs to make sure that their security posture is up to scratch . Research indicates that nearly half of all data breaches originate in the cloud , with the average organisation who suffered a cloud breach last year losing nearly US $ 4.1 million .
Beyond financial losses , the repercussions of cloud breaches extend to reputational damage , sensitive data loss , and decreased productivity , leading to an urgent need for robust security measures tailored to the cloud environment . With the majority of businesses today holding their most critical data and high-value applications in the cloud , there needs to be a fundamental shift from reactive measures of old to a more proactive approach to breach containment in the cloud .
Traditional security tools are increasingly falling short in addressing the dynamic and interconnected nature of the cloud . Organisations should take a strategic approach to integrating cloud security with existing approaches . While the security needs of the cloud itself are unique , the security of the data should be consistent across the hybrid infrastructure . Adopting a Zero Trust approach across the entire estate protects the data while adopting specific cloud security techniques .
It is easy to put faith into the shared responsibility model when it comes to cloud security , but the concept is frequently misunderstood . Security is not solely the cloud provider ’ s responsibility and risk cannot be outsourced . Cloud security providers ( CSPs ) are only responsible for their own systems which , in a multi cloud environment , means that there is an uneven handshake between businesses and providers . IT teams must therefore be more proactive in securing their own assets and embrace a uniform approach to security across all environments .
IT teams should prioritise security measures which support multiple cloud providers to prioritise uniformity , such as Zero Trust Segmentation ( ZTS ). Rooted in the Zero Trust principle of ‘ never trust , always verify ’, ZTS offers a granular and adaptable approach to security , providing organisations with enhanced visibility , control , and resilience across hybrid and multi-cloud environments .
For the third-party cloud vendors there is only so much a CIO can do .
With ZTS organisations can easily visualise their cloud workload connectivity , including traffic flows across managed and unmanaged workloads . It also allows proactive segmentation of the network which makes it easier to contain attacks and reduces the area needed to investigate in the response process .
Aside from investing in new tools , CISOs must ensure that teams are educated on effective cloud security measures . This avoids the common oversight of employees not being able to identify and rectify misconfigurations which can open the floodgates to a breach . Organisations should work to transform employees from potential security risks into active and informed participants within the security posture .
This is best achieved through regular training sessions and keeping staff updated with new trends in the threat landscape . A well-informed team can significantly mitigate an organisation ’ s risk and increase overall cyber-resilience , helping any CISO to sleep at night .
Trevor Dearing , Director of Critical Infrastructure , Illumio
www . intelligentcio . com INTELLIGENTCIO EUROPE 77