Cybersecurity in a multi-cloud environment isn't easy says Oliver Wyman. Source: Shutterstock

Cybersecurity in a multi-cloud environment isn’t easy says Oliver Wyman. Source: Shutterstock

How do you manage cybersecurity in a multi-cloud environment?

MOVING to the cloud is an important step in the digital transformation journey of any organization. However, given the increasing complexities of the cloud environment, businesses find themselves facing increased cybersecurity risks.

In today’s world, sticking to just one cloud provider isn’t feasible. Multi-cloud is becoming a reality because there are also many appealing SaaS solutions that make life easy for enterprises.

“Enterprises need to determine if they plan to go multi-cloud or not. There are pros and cons to going multi-cloud. From a security perspective, it tends to add some additional considerations for companies,” Oliver Wyman Partner — Head of APAC Darren Thayre told Tech Wire Asia.

For example, each cloud provider handles security differently, they have different products, and varying degrees of maturity. When companies adopt a multi-cloud strategy, they need to consider all of the same controls. for each provider. This increases the risk and compliance effort.

It also means that organizations need to have the talent, skills, and resources to understand multiple provider offerings in depth.

Discuss cloud security from the very beginning

“My suggestion is to invest early in defining your cloud controls and also in security automation talent. Doing so can minimize the manual tasks, and maximize the efficiency of security in a multi-cloud world.”

Thayre often finds that businesses don’t tend to discuss security at the initial stages of their cloud strategy. The discussions are usually driven by developers or infrastructure demands instead.

“Whilst this is a sensible incubation point for the cloud, I encourage firms to involve security from the very beginning.”

“I’ve seen very strong engineering teams take six to 12 months before they are proficient at using the cloud. When you bring security in late, you are putting them at a disadvantage in terms of them being ready to support the organization’s cloud ambitions.”

Although most business leaders talk about cybersecurity risks and concerns, security is still an afterthought when making IT investments. That needs to change, and businesses need more security professionals to help with that.

Headcount in security teams needs to keep pace with IT investments

“We are not seeing headcount in security teams keep up with the pace of IT investments across most organizations, so you have more people leveraging cloud and being innovative than most security teams can cope with.”

The cloud organizations an opportunity to reinvent the way cloud security is done, especially using automation. Hence, security teams can embed their security controls in templates and lock down how developers can build things.

“This allows the organization to be proactive rather than reactive, but it takes good cloud and good engineering skills to achieve.”

Thayre, who is speaking at the upcoming ConnecTechAsia 2019 conference in Singapore, advises organizations to ramp up their in-house security teams. In the meanwhile, he suggests organizations leverage cloud partners to ensure compliance with best practices while migrating to the cloud.

Companies need strong security teams. Not just to help them secure the IT infrastructure but also to ensure it can keep pace with the innovations that cloud providers make.

“One of the challenges [to cybersecurity on the cloud] is that the cloud providers innovate at such a pace that they are forever enhancing their services. That gives you some challenges and some opportunities.

“The opportunity is that perhaps the new innovations may help you with securing things better/faster/cheaper. However, the challenge that presents is you also need to try and keep up to speed with those new releases.”

Most organizations, however, are so busy keeping the lights on that they don’t allow staff enough time to try new things.

“Security teams need to carve out and protect innovation time, so they can experiment with new services.”

“The firms that make that shift, will be the ones where security is seen as a business partner and even a competitive advantage,” concluded Thayre.