Now more than ever, we are witnessing a massive rise in cloud adoption as organisations upscale their remote and hybrid work strategies. With no signs of the flexible working environments going away, many business leaders are determined to continue to accelerate their cloud investments this year, to not only survive but also thrive in the post-pandemic world.
A forecast by global research and analyst firm Gartner showed that end-user spending on public cloud services is forecasted to reach $332.3 billion this year.
However, the inherent benefits of the cloud such as agility and flexibility have blind-sided companies to the security risks, which have now been compounded as remote working increasingly becomes a norm.
Chief among these challenges is the loss of visibility and control over traffic, data, devices, users and applications. Without a comprehensive overview, organisations are left in the dark to employee activity, data protection and cyber threats.
Many cloud applications used on a day to day basis by employees are inherently insecure. And it is vital to understand that even if cloud applications are managed and secure, the enterprise data that resides in them are at a much higher risk to theft and threats such as phishing or ransomware attacks.
In fact, a recent report by cloud security firm Netskope revealed that cybercriminals are increasingly using cloud apps to launch attacks. It noted that malware originating from the cloud continues to grow, with the percentage of malware delivered using cloud apps topping 61% at the end of 2020. Additionally, the report also found that the popularity of cloud technologies in the enterprise makes them a popular target for phishing attacks.
“The rise of remote working, accelarated by the COVID-19 pandemic, has brought a massive change in enterprises and transformed today’s security needs,” said Arie de Groot, Senior Director – Middle East, Netskope. “This is because the cloud speaks a language that’s not being spoken by traditional security tools, which were predominantly designed to protect enterprise perimeters and datacentres.
“Typically, the conventional approach to cybersecurity in the cloud is focused on ‘block vs allow’ permissions. This method centres on managing and controlling who gets access to which websites and cloud applications. This no longer works when users are no longer working from the office.
A call for renewed security strategies
Netskope’s cloud and threat report also highlighted that the majority (83%) of enterprise users are also using personal devices and cloud applications in their day to day work. This increases the risk of unintentional data movement and emphasises the need for organisations to implement a security architecture that not only protects against threats but also gains control over remote traffic, data and users.
“Security leaders can start with gaining a better understanding of what devices and applications their employees are using,” explained de Groot. “Once they have a clear view about these aspects and their risk margins, they can effectively implement granular policy controls for all users and devices wherever they may be.”
Apart from security, de Groot also noted that it is important for organisations to not compromise on speed.
“If your security tools slow down traffic too much, users will try to circumvent or bypass it using unmanaged applications and devices,” he explained. “So, there needs to be a balance between protection and speed for organisations to succeed in securing their digital transformation journeys.”
When a massive cyber incident happens such as a data breach or a ransomware attack, the company’s CEO is always the one ultimately held responsible by customers and stakeholders. A recent industry study indicated that as consumers gain increased understanding about cyber-attacks, they become unforgiving of businesses that they believe don’t take security seriously.
But within organisations, who is really responsible for security?
“Fundamentally, business decision-makers rely on IT leaders to ensure security within the business,” said de Groot. “However, as technology has evolved to become more ubiquitous, it is no longer sufficient for just the ‘IT department or the CISO to deal with data and cybersecurity.
“It is also about speed. So, it’s the network team that needs get involved as well.”
“It’s not like the old days where issues are solved in silos. The worlds of security and networking are merging”, he said. “CIOs or other executives have a role to play in bridging the gap between security and network cultures, budgets and deliverables”.
De Groot explained that CIOs and CISOs also need to ensure that other members of the C-suite, especially the CEO and CFO, have a proper understanding of why it is important to invest in the right cloud applications and in security tools that don’t compromise on performance and speed.
Navigating the future with SASE
As organisations aggressively embark on their digital transformation journeys, they will continue to shift more data and applications to the cloud, which means security, governance and compliance issues will remain huge concerns.
In addition, with remote working and continuous cloud adoption, we are witnessing the network perimeter disappear which means that increased visibility and security are of the utmost importance.
“The cloud is a blind spot. The time is now to accelerate investments in cloud security. Organisations can no longer afford to wait,” said de Groot. “Enterprises should look at their entire security strategy and determine what it would look like in the years to come. They should consider adopting a SASE approach.”
Coined by Gartner in 2019, secure access service edge or SASE unifies networking and security services in a cloud-delivered architecture to protect users, applications and data everywhere. SASE is not a product, nor is it a service. It’s a framework that helps organisations address the changes and limitations in the security landscape due to rapid digital transformation.
“Building a successful SASE architecture doesn’t happen overnight. Organisations can start small, they can for example secure their Microsoft applications first and then gradually expand and strengthen other security functionalities,” said de Groot.
The journey to SASE is an exciting one with much promise. But like any security project, it all begins with gaining the right understanding and effective planning.
Watch ITP.net’s full interview with Netskope’s Arie de Groot to find out more about cloud security.
