By Shambhulingayya Aralelemath, Associate Vice President and Global Delivery Head, Cybersecurity, Infosys
The uncontested benefits of digitisation have pushed the envelope for cloud adoption. Organisations are increasingly choosing to become cloud-first by moving most or all their existing infrastructure to the cloud and adopting the latest technologies without making large investments, by paying only for the services they use. This gives them agility, and flexibility and is cost-effective. Unfortunately, it also increases the attack surfaces exposing them to various threats.
Dynamically evolving threat vectors in the cloud environment have compelled organisations to continuously rework both security controls and processes. This continuous adaption requires a pivot strategy for defense controls to rapidly discover, comprehend, and reposition the enterprise baseline. Since a cloud-first computing environment differs from on-premise infrastructure, it is not adequate to merely replicate the security controls of on-premise into the cloud. Cloud-native microservices applications, diverse workloads, identity explosions, and cloud data posture need focused attention.
Focus areas define the security quad of Posture, Identity, Data, and Code. The Security Quad forms the four pillars on which cloud security strategy stands. We need dynamic security controls, enforcement points, and granular governance to align these security tenets with the modern dynamic era.
Outlining the Security Quad: Posture, Identity, Data, and Code
The first order of the strategy is to look at architectural design and design solutions that align with the zero-trust principle to minimise the attack surface. Posture or architecture design helps manage the overall security framework using standardised controls, responsibilities, and security configurations, which can be deployed across common use cases.
Next is identity, which covers knowledge of users, business environments, vulnerabilities, and threats. Solutions powered by Artificial Intelligence (AI) or Machine Learning (ML) can address modern threat
vectors. Along with traditional controls, Data Security Posture Management (DSPM) or Cloud Infrastructure Entitlement Management (CIEM) helps address specific cloud problems.
The third pillar of the security quad is data, which needs to be encrypted, whether at rest or whether it is being transmitted between internal and external cloud connection points, to reduce the risk of breaches.
The fourth component is code, where security is automated and embedded across the entire development life cycle through various checks and tests to secure cloud workloads with speed and agility and prevent manual error.
Effective Cloud-first Defence Strategies
While selecting security controls is important, one must emphasise how these controls are delivered. By aligning with zero-trust principles, where implicit trust is eliminated, and every stage of the digital interaction is continuously validated, organisations can minimise the attack surface by pushing the service edge and policy enforcement close to the user and away from the application stack.
A decentralised structure for security controls is another way forward, and possible with the use of Continuous Integration (CI) and Continuous Delivery (CD). With this, security teams can devote their efforts towards governance, guaranteeing baseline hygiene and security consistency while reducing the cloud attack surface to a large degree.
Whether code pipelines (CD services that model, visualise, and automate the release of security codes) are configured using gating controls or baseline mandate definitions, they must adhere to the organisation’s security and compliance objectives. Governance can also be extended to the operation space by shifting to managed detection and response (MDR) services that cover all cloud assets from infrastructure, application, and IoT landscape, with built-in AI and ML algorithms.
Conclusion
Organisations should strive to protect themselves from potential security and privacy threats by implementing robust security best practices. The most effective defense strategy for a cloud-first computing era would be zero trust, with a strong emphasis on governance to regulate all the events, flows, and movements within the cloud landscape.