According to Atul Gupta, Leader – Cyber Security, KPMG in India, Data Security, Regulatory compliances, Technology ecosystem expansion and lack of having a stable environment, Vendor lock-in, Managing costs, and Operational models to be stabilized in the cloud environment are some of the major risks that companies embarking on their cloud journeys should keep in mind.
Multi-cloud environments offer enterprises many advantages especially when they want to mix and match software for optimization. It gives the option to combine multiple providers for internal applications — such as AWS, Microsoft Azure or Google Cloud — for performance, scalability and cost savings.
“While the Hybrid Cloud addresses many critical business requirements around control, speed, cost and performance, organizations must ensure they adopt the right security policies and technologies to provide them with a holistic view to manage their security across dispersed infrastructure,” said, Viswanath Ramaswamy, VP- Technology Leader, IBM India and South Asia.
As there is a constant data exchange between multiple clouds, it is vital to secure sensitive data with many layers.
Securing Sensitive Data in a multicloud environment
Anil Nama, CIO, Cloud4C chalks out some common challenges that organisations face which include: Security settings, options and tools are different for each cloud provider, preventing complete visibility in a security analysis; Cloud providers have their own security standards and limitations; IT employees don’t understand multiple cloud environments and often make mistakes with security configurations; Manual deployment won’t work across multiple cloud environments; Data encryption and backups are not centralized.
Nitin Mishra, Head of Cloud services, NTT Ltd. in India believes cloud based security complemented with host-level security and security practices like regular patching, vulnerability analysis etc can ensure a high level of security.
“Google security, Akamai are some examples of cloud based security providers. In addition to using such services it is imperative to have a 24*7 Security Operations Center equipped with tools and skills to ensure compliance with security practices across and address any threat that escapes all security barriers like zero day attack,” he said.
IBM’s Ramaswamy believes that organizations need to establish visibility and control to manage a cohesive hybrid, multicloud security program which is aligned to their business need and protects assets like Identity, Data, Applications/Systems.
“Therefore, the future approach to security is through an open, connected platform which leverages open standards, AI and automation to connect security tools and data across cloud environments,” he said.
In addition, Confidential Computing is rapidly shaping the security environment which allows businesses running workloads in the cloud to maintain full privacy and control over their workload – despite having no authority over the infrastructure that the workload is hosted on.
Protecting data handled by third parties
The rising number of third-party data breaches and the sensitive data being exposed have negatively impacted consumer trust.
According to Akshat Jain, CTO and Co-founder, Cyware, over-reliance on a particular cloud service can also create a single point of failure from an operational and security perspective in the case of platform-wide incidents. The inability to conduct due diligence, implement complex security policies, and maintain regulatory compliance can further compound the cloud security issues that organizations face.
“To protect data handled by third-party vendors enterprises should set up a vendor management team with a select few key members. A detailed vendor risk management should be documented with clear policies, procedures and even outlining daily tasks. Before finalizing any contract with a vendor, there should be a complete understanding of the service provider’s responsibilities that includes security guarantees,” maintained Anil Nama, CIO, Cloud4C.
An ongoing monitoring regimen should be instituted as any change in the personnel at the vendor may potentially lead to security risks and expose remote access vulnerabilities in the business.
Nama also suggests firms to establish an internal audit process to ensure that the appropriate controls to mitigate any vendor liabilities are in place.
KPMG’s Gupta highlighted that organizations need to have a comprehensive “Third party risk” framework that enables enterprises to cover all aspects of third party service providers. This should include: Risk-based classification of third party provider; Incorporating contractual obligations on security and risk management; Technology control on data security (in form of DLP, data masking, limited access privilege, etc); Periodic assessment of effectiveness of controls environment; Risk and compliance to be covered as part of KPIs (with rewards and penalties).
Eventually, it is also important to realize that the Cloud is a journey, not a destination, said Anand Patil, Senior Director, Systems Engineering, Cisco India and SAARC. “What the cloud provides is the advantages of agility, availability, and automation. It is critical to adapt and apply these learnings of the cloud to your IT operating model and to leverage cloud principles to break silos, build agile operations teams and unlock the opportunity to securely and optimally deliver on-demand services in response to business needs,” he added.