Securing your data in the cloud | Cyber Risk | Deloitte Netherlands

Blog

Securing your data in the cloud

Part 1: Leveraging cloud benefits in a responsible way

Cloud computing has reached a level of maturity and usefulness that many company executives never imagined. But the cloud also brings new risks. These need to be managed properly if an organisation wants to unlock the cloud’s full potential. In this blog series, we help you to stay in control—responsibly—while enjoying the benefits of the cloud.

Cloud transition journey

As a compliance director or head of internal audit, you’ve probably heard the benefits of cloud computing a thousand times. The cloud requires minimal capital investment and makes your organisation more agile. You can quickly adjust to meet fluctuating demand. Beyond a doubt, the technology of the largest cloud service providers is state-of-the-art. But the cloud’s many benefits don’t automatically wipe away your concerns, especially regarding security. As witnessed over the past few years, data breaches and other security incidents can cause huge reputational damage. So how safe is your HRM, financial and customer data if it’s stored in a cloud solution? Who has access to that data? What if a cloud provider’s server crashes? And what will happen to your data if you want to switch to another vendor? By handling these concerns responsibly, you will not only protect your business, but can also create extra value for your organisation. The good news is that cloud security has improved radically over the past few years. The applications and solutions of the biggest cloud service providers are now equally or even more secure than their on-premise counterparts. Their security features can easily be integrated with your features. But this doesn’t relieve you and your security colleagues from your responsibilities as incidents surrounding cloud security are often caused by a lack of understanding of how to work in the cloud.

Figure 1: A typical secure cloud transition journey

In order to responsibly leverage cloud benefits, cloud security should be seamlessly incorporated in each phase of a cloud transition journey.  

 

Phase 1: Imagine

In a perfect situation, compliance and security officers will be involved from the first phase of cloud implementation, the phase we call ‘Imagine’. In this phase a cloud strategy is developed and a vendor — for a specific solution or for the complete cloud-first strategy — has to be selected. During this phase, discussions with all relevant stakeholders should take place to identify the risks and regulatory requirements needed to be addressed and to devise a strategy accordingly.

Organisations often struggle with identifying and curbing siloed consumption of cloud services across their teams, which leads to chaos. We believe this is due to lack of a defined cloud security vision and a secure cloud adoption strategy.

 

Phase 2: Deliver

Unfortunately, security by design is not common practice in all organisations. In most situations, the security team isn’t involved until an application or a solution has already been chosen and the first steps of implementation have taken place.

Within the ‘Deliver’ phase, applicable security processes and policies are implemented in the cloud landscape. Organisations need to translate existing security capabilities to the cloud for increased agility and scalability. Seamlessly integrating and automating security is imperative to ensure that security acts as an enabler for an organisation rather than a roadblock.

There is a plethora of ever-increasing innovative services and tools being offered by cloud service providers. More and more organisations are adopting these solutions instead of reinventing the wheel. By implementing guardrails and securing delivery pipelines, organisations are able to innovate in an agile way while taking security into account.

Scalability features offered by most CSPs make it very difficult for attackers to perform traditional denial-of-service (DoS) attacks. This has changed attack scenarios, wherein attackers are now pushing towards financial DoS attacks by leveraging misconfigured scalability parameters.

Phase 3: Run

In the last phase of the cloud transition journey — the ‘Run’ phase, when a cloud application is live in production — an organisation needs to be able to demonstrate the effectiveness of its security controls.

To maintain control and visibility in their cloud landscape (including cloud-to-cloud and user-to-cloud interactions), several organisations are choosing solutions such as technical brokers. These solutions enable organisations to centrally enforce governance, manage identities, demonstrate compliance, maintain central control of infrastructure, continuously detect threats, react and adapt security capabilities to address threats per cloud service.

 
 

Leveraging cloud benefits

Going through the phases of a cloud transition journey is just as challenging from a compliance and internal audit perspective as it is from a technological one. Without secure data controls to keep your data safe, your reputation and business goals are at stake. With secure data and responsibly-managed controls, you can truly leverage cloud benefits.

 
 

Let's connect

Deloitte has helped many organisations get a grip on the opportunities and challenges they face when using cloud technology. Do you need help addressing cloud risks? Please reach out to Rob Stout or Priyam Awasthy via the contact details below. 

 

 
Did you find this useful?