CLOUD SECURITY ARTICLE - CLOUD SERVICES, DIGITAL TRANSFORMATION & SECURITY TRANSFORMATION
Cloud Services, Digital Transformation & Security Transformation
Cloud services innovation, deployment and consumption are proliferating at a runaway rate today, for all the good reasons of opex cost management, storage, staging, business continuity, scalability, agility et al.
New services like FinTech, IOT, mobile apps, SD-WAN etc. all use the cloud infrastructure, and at the core of it, the datacenters, which host and run the storage, switches, networking, compute power, as well as the service reliability and robustness.
Digital transformation in the past several years have contributed significantly to the feverish adoption of cloud services (see the proliferation of cloud service provider and datacenters in the region) and the 2.5-years pandemic lockdown have accelerated this in no small way too, given the sudden need for work-from-home remote access, distributed computing, e-commerce and online order-delivery services of almost anything and everything.
Even when the lockdown has eased today, many organisations and staff continue to prefer a hybrid work model with partial (if not full still) WFH, thus continuing to feed to cloud services boom.
Digital transformation drives foundational change in how an organization operates, optimizes internal resources, and delivers value to customers. Cloud technologies provide the foundation for becoming more agile, collaborative, and customer-focused.
Digital transformation is when an organization takes advantage of new technologies to redesign and redefine relationships with their customers, employees, and partners. Digital transformation for business covers everything from modernizing applications and creating new business models to building new products and services for customers.
Organizations choose digital transformation frameworks as a way to reimagine themselves staying competitive in their respective businesses and industries.
There are security and governance concerns, primarily regarding data and availability, given that cloud is an outsourced model and the consumer tends to lose visibility and control.
Hence it is paramount to consider and comply with nationally and internationally established security and trust frameworks and certifications, such as from ISO, CSA and also some local ones from monetary authority, government, etc – as at least a next-best assurance and trust reference, that certain processes, policies and methodologies are in place to ensure the cyber security of the cloud services
As the drive towards digital transformation gathers momentum, this is an appropriate time for organizations to pause and reflect for a moment on their security strategies.
It’s beyond doubt that the integration of digital technology into all areas of a business can result in fundamental changes to how businesses operate and how they deliver value to customers.
Technologies typically associated with digital transformation include SD-WAN, IoT, and Cloud, and the changes they’re driving are quite revolutionary.
However, without an accompanying Security Transformation strategy, any Digi-Trans effort can fall apart.
This presents a complication as Digi-Trans efforts move more data and systems to the cloud, and cyberattacks grow more sophisticated.
So, what is Security Transformation and why should you care about it?
It is the integration of security into all areas of digital technology, resulting in fundamental changes to how security is architected, deployed, and operated.
At the same time, Sec-Trans is more than just technology – it’s also about changing how teams work.
With the wide range of different technologies being adopted under the banner of DX, the different teams associated with key projects – applications, networking, and security – all need to work together to achieve a common goal: a successful and secure Digital Transformation.
To understand why Sec-Trans is so vital, consider the ever-changing security threat landscape and its potential impacts on Digi-Trans technologies like Cloud.
The majority of organizations have adopted a multi-cloud strategy, including multiple IaaS providers and over a dozen different SaaS solutions. The expansion of data and workloads into a distributed cloud environment makes consolidated security prevention and detection difficult.
They best need an integrated virtual and physical cloud solution that extend seamless security across the distributed cloud deployment, including being the first to provide advanced security solutions for all five of today’s top cloud service providers.
In a multi-cloud environment, for example, there are many security issues to consider, including how to manage access to cloud services from remote users and branch offices, multiple cloud vendors using different cloud platforms, managing the new and constantly evolving applications and workflows that span different environments, and establishing and enforcing consistent security policies across various cloud platforms that each have their own native controls and interfaces.
This complexity makes it impossible to monitor what’s happening across all the clouds, properly manage risk, address regulatory compliance, and maintain consistent security policies across both on-premise and cloud environments.
Likewise, connecting next-gen branch offices to today’s more dynamic and fluid networks requires adopting a more dynamic and fluid approach to building wide area networks.
SD-WAN, for example, through internet and cloud services, enables branch offices to easily connect to all resources, whether on-premise in a central data center or in any of an organization’s multi-cloud environments. The challenge however is that most SD-WAN solutions do not have the necessary security capabilities to adequately protect the branch office.
It's also important to understand that the range of different digital technologies associated with Digi-Trans bring with them a range of security risks that IT teams can’t afford to view in isolation.
Traditional or incumbent network infrastructure cyber security solutions cannot just be simply extented or shoe-horned to cover cloud services.
The fact that cloud environments tend to use unique controls and services that make integrated visibility extremely difficult only makes the problem worse.
To address these and similar challenges, organizations need to, where possible, step back before deployment and assess the situation with all of its associated risks in order to develop a comprehensive security strategy.
There is a need for collaboration between disparate teams to achieve a common goal is the essence of Sec-Trans and is a cyber-security best practice approach.
Without this initial planning and the full recognition and acknowledgement of the risks that a Digi-Trans strategy can entail, Digi-Trans objectives cannot be fully realized – and in the worst case, the Digi-Trans initiative could, as alluded to earlier, even fail.
The best response to increasingly complicated networked environments is simplicity. That requires a security transformation that can keep pace with the digital one.
Security transformation, to recap, involves the integration of security into all areas of digital technology, resulting in a consistent and holistic security architecture that enables an effective security life cycle that spans across the entire distributed ecosystem of networks.
This includes identifying the attack surface, protecting against known threats, detecting unknown threats, rapidly responding to cyber events in a coordinated fashion, and providing continuous trust assessments.
An effective security transformation strategy needs to include collaborative intelligence and system integration so local and global threat intelligence can be shared between devices and responses can be coordinated between solutions; the orchestration of unified security policies and enforcement; intelligent segmentation across physical and virtual environments for deep visibility into traffic moving laterally across the network, even across multi-cloud environments, and to quickly identify and quarantine infected devices; and automation to sift through growing network noise, correlate threat information, and respond in real time to any threat found anywhere along the extended attack surface.
Also, organizations today choose digital transformation frameworks as a way to reimagine themselves staying competitive in their respective businesses and industries.
There are security and governance concerns, primarily regarding data and availability, given that cloud is an outsourced model and the consumer tends to lose visibility and control.
Hence it is paramount to consider and comply with nationally and internationally established security and trust frameworks and certifications, such as from ISO, CSA and also some local ones from monetary authority, government, etc – as at least a next-best assurance and trust reference, that certain processes, policies and methodologies are in place to ensure the cyber security of the cloud services.
Author Bio
Anthony Lim
MAISP
Fellow, Cybersecurity, Governance & Fintech, Singapore University of Social Sciences
Anthony is a pioneer of cyber-security and governance in Singapore and the Asia Pacific region, with over 25 years’ professional experience, as a business leader, consultant, advocate, instructor and auditor.
He has managed some national-level cybersecurity readiness assessment projects in Singapore and the region and was a co-author of an acclaimed international cloud security professional certification. He has held inaugural senior regional business executive appointments at Check Point, IBM and CA (now Broadcom), and was also client CISO at Fortinet and NCS. He has been active in industry association circles for nearly 2 decades, and is currently Advocate at (ISC)2 Singapore Chapter.
Anthony is an adjunct instructor and module developer for some tertiary academic & professional institutions. He has presented and provided content at many government, business, industry and academic seminars, committees, executive roundtables, workshops, trainings and media (print, broadcast, internet, including CNA, CNBC, Bloomberg, BBC) in Singapore, the region, and also for NATO, at Washington DC, Stanford University, ITU, Guangzhou Knowledge CIty and TsingHua University. He is a life alumni member of the University of Illinois, Urbana-Champaign.