Risk-based security helps businesses stay grounded when migrating to the cloud

Co-founder and CEO of Vulcan Cyber.

Cloud computing has reshaped the business world. New security demands have emerged that match the magnitude of this change. It’s a challenge for cloud security teams to keep up, as evidenced by the data breaches and cybersecurity incidents that now occur at an increasingly regular cadence.

The cybersecurity toolkit that most IT security professionals are familiar with was primarily developed over 20 years ago to govern on-premises infrastructure and manage on-premises threats. The result is ever-changing complex computing environments riddled with misconfigurations and vulnerabilities, as well as sprawling ecosystems of users, applications, and data with unique risk surfaces.

Business leaders recognize it: 79% of executives surveyed by KPMG say they view information security as a strategic function and a source of competitive advantage. They also have a healthy degree of distrust when it comes to their own preparedness: only 10% of survey respondents described themselves as “very well prepared for a future cyberattack.”

At the same time, according to my own company’s research, 55% of enterprise workloads will be in a public cloud within a year, and 81% of those users will use multiple cloud providers. Complexity and scalability mark the most powerful security challenges with the cloud, forcing security teams to grapple with the obvious chasm between recognizing these dynamics and preparing the industry to address them.

Cloud security is a shared responsibility, but it also creates a challenge because teams involved in cloud security always take a “not my problem” approach. Adding to this challenge is the fact that the data is often managed by a third party. Organizations don’t have the same visibility as with legacy on-premises systems, and without additional tools, their cloud environments often lack adequate security controls. Without visibility or control, they cannot mitigate, patch, or otherwise address a vulnerability or threat.

This cloud compromise represents a significant problem as enterprises come to rely on the scalability and efficiency of the cloud without considering security and compliance. In fact, it’s this scalability that often presents problems for security teams: with limited resources, they are unable to accurately prioritize issues that pose a real threat to the business, versus vulnerabilities that may be technically serious but will not affect the business.

There are, of course, certain steps that can help organizations get a sense of their unique risk position. Scanning tools can reveal a number of vulnerabilities with limited resources. The rise of “objective” scores such as the Common Vulnerability Scoring System, which classifies vulnerabilities by severity, for example, is an illustration of this.

A recent survey of IT decision makers showed that 86% rely on these third-party severity scores to prioritize vulnerabilities. However, these scores alone are insufficient, as the survey also indicated that 70% of respondents rely on third-party threat intelligence to complement their security program. The common denominator is the use of third-party services that lack the necessary business context to fully understand an organization’s unique risk profile and cannot accurately identify the risks most likely to disrupt business. To cope with this dynamic, companies need to strengthen the control of these processes to ensure better accuracy in the rating, prioritization and mitigation of cyber risk.

With cloud adoption off the charts, the scale of risk introduced by vulnerabilities has increased while IT security resources have remained stable. Therefore, it is essential to automate the risk management process as much as possible. Even so, barely a third of organizations (registration required) surveyed by SANS indicate that they have implemented automation beyond traditional infrastructure and infrastructure as a service.

A risk remediation program built around patch management processes from two decades ago is irrelevant to cloud risk mitigation. Tens of thousands of vulnerabilities are discovered each year, and keeping up is not possible, even for well-resourced teams. Mitigating cloud risks through user access controls or reconfiguration will lead to unintended consequences. Therefore, it’s critical to prioritize patches that address the most risky vulnerabilities for a specific organization, not the entire threat landscape.

Overreliance on severity scores when prioritizing will have similar negative effects, as these scores tell an incomplete story. Although technically serious, many higher-ranking threats are extremely difficult or impossible for a malicious actor to access, while a lower-ranking threat could provide easier access to sensitive data. Organizations must assess risk based on their unique business environments, leveraging automation to address cloud infrastructure scale while prioritizing threats that pose concrete risk to business operations.

Another challenge companies need to anticipate is the timeline for a cloud transition: five years is not unreasonable. During this time, an organization will likely have one foot in the cloud and the other in its legacy data center. This hybrid approach characterizes the strategy of most organizations today. From a practical point of view, two sets of security tools will be needed, and the budget will have to take this into account. At the same time, it also becomes necessary to plan which tools in the stack can be retired as the transition progresses and which new tools will be needed to form the next enterprise security stack.

If you are considering migrating, the main questions to ask yourself are:

• Why is your business moving to the cloud and what is moving?

• Are you simply integrating new SaaS applications?

• Or are you migrating entire workloads, business units, and operational IT to the cloud?

For many organizations, security can be seen as a barrier to cloud adoption. However, an organization’s CISO must be an enabler, building the organizational and technical processes that allow teams to work effectively, using new tools to deal with a new and ever-changing environment. The work is hard and a lot of unexpected events will happen. But the benefits of a successful transition to the cloud can be substantial, and protecting business continuity and any gains made should be a priority.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?


Leave a Reply

Your email address will not be published.