Posted: 20 Nov. 2020 4 min. read

Taking a Cloud Journey Without Risky Detours

There are many reasons for enterprises to move to the cloud. It might be “emergency migrations” to cope with the uncertainty and upheaval of the COVID-19 pandemic. Or, it could be part of a longer-term IT modernization plan. Whatever the reason, the cloud represents a basic challenge to IT departments: it’s a fundamentally different environment, which makes it prone to human error. This is why, according to the Verizon 2020 Data Breach Report, cloud misconfigurations - a fancy term for “human error” - are by far the no. 1 cause of cloud data breaches.

Migrating to the cloud does not have to be fraught with risk, however. If the migration follows a well-constructed strategy and taps the right skills, processes and understanding of the shared-responsibility model, risk can become quite manageable. Here are some foundational elements to consider for controlling risk in the cloud:

  • Strategy - At the most basic level, organizations need to examine the business rationale for moving to the cloud in the first place. Is there a program in place for effectively using the cloud? And, is that program broad enough to fully consider how to address any new risks introduced by the cloud environment? Or, it may be that the risk level remains the same as it was in the old environment, not now it’s in the cloud. What does it mean when the “same old risk” now lives in the cloud?
  • Talent - There is already a critical worldwide shortage of cybersecurity talent. According to ISC(2)’s 2019 Cybersecurity Workforce Study, there are currently 2.8 million cybersecurity professionals in the world and another 4 million are needed to close the skills gap. A similar shortage is developing around cloud skills in general, and cloud security skills in particular. When organizations consider cloud initiatives, it’s imperative to understand if the right talent is in place to successfully migrate and secure systems in the cloud. And even if it appears the right “numbers” of skilled workers are in place, it’s important to understand if those workers are focused on the right areas and subdomains, so they can be effective at securing the cloud environment.
  • Development Processes - Many organizations today have moved to DevOps as their process for building, deploying and updating applications in the cloud. Is security integrated into that DevOps process (known as DevSecOps)? Or, are things working the old-fashioned way, where developers and security pros work in silos, inevitably putting security in perpetual “catch up mode,” where they have to secure already-deployed applications after the fact. To effectively manage risk in a cloud world, organizations need to move to the DevSecOps model so security can be built into the development process.
  • Understanding Cloud Operating Models -  Cloud providers operate under a shared-responsibility model: the cloud provider is responsible for the performance and security of the cloud infrastructure, the customer is responsible for everything sitting on top of that infrastructure. Cloud providers have built a robust set of security tools for customers to use – but that can bring its own level of complexity. Does the security team know which cloud-native tools to use? And if they don’t use them, are they creating risk? And do they know exactly what they are configuring? Questions like these are often not contemplated until after the fact, which is a contributor to the breach-by-misconfiguration problem cited earlier.

These are just some of the issues to consider when embarking on a cloud journey. By setting a sound strategy, and aligning talent, processes and an understanding of the cloud operating model, enterprises can embark on a transformational cloud journey that grows their business, not their risk.

Want to hear more? Listen to Deloitte Global Cyber Cloud Leader Sean Peasley discuss cloud security in depth on a recent podcast from Cyber Crime Magazine.

Return to the Responsible Business home page to discover more insights from our leaders.

Key Contact

Sean Peasley

Sean Peasley

Deloitte Advisory Partner

Sean is a Partner with Deloitte & Touche's Cyber Risk Services practice and is the Global Cyber Cloud Leader and Cyber IoT Leader. He delivers solutions to help organizations address their most pressing and pervasive cyber security challenges for Enterprise, Cloud and IoT environments including cyber risk, cyber threat intelligence, cyber war gaming, IoT and OT security, identity management, privacy and data protection, and business resilience focused. He has over 35 years of consulting experience and serves some of Deloitte’s largest clients. He is a proven leader with diversified, in-depth experience in consulting and has demonstrated an ability to consistently achieve desired results and provide exceptional value to clients across a variety of business problems, technologies and industries. Specialties: IoT/OT security; cyber cloud, information security strategy; cyber risk & security; identity management; application security; secure systems development; information technology risk management; governance, risk and compliance; and resiliency. He has experience in several industries, including automotive; consumer products; energy & resources; financial services; health care; high technology; life sciences; manufacturing; and media, entertainment & sports. Sean is passionate about working with the community and he currently serves on the board of directors of YMCA of Orange County and is the chairman of CSUF College of Engineering & Computer Science College Leadership Council.