Securing cloud workloads

Matthew O'Brien

Group Owner - Cyber Security


Today there's a widening gap between what organisations want to achieve with cloud, and what they think they're able to achieve.

The latest Omdia research shows that only 21% of Australian organisations feel well prepared for their next step in cloud migration. A major reason is security. In their 2021 surveys, Omdia found:

  • 79% of Australian organisations have experienced a cloud triggered security incident in the past twelve months.1
  • 31% of Australian organisations have experienced a significant increase (more than +25%) in hybrid cloud security incidents during the COVID-19 pandemic.2

It's not surprising that many feel unprepared for securing their cloud. COVID-19 accelerated the move to hybrid cloud which increased the attack surface. At the same time, threats continued to become more advanced, targeted and persistent.

This doesn't mean cloud is less secure than traditional computing. It just presents new challenges. Cloud is here to stay. Its importance for both operational efficiency and digital transformation simply means we have to be more proactive in protecting it.

If you don't know where to start, here's where to start

If you're beginning your cloud journey, there are several things to consider before you embark.

You should assess the level of risk you're prepared to accept. This will be closely tied to the assets you want to move to the cloud, and the speed at which you move.

Underpinning both is your strategy. Here, the most important question is: why are you moving? Are you seeking better performance? Greater efficiency? More reliability? Is cost optimisation your focus?

Prioritising your aims now will create a map that you can use to plot your cloud journey, determining where, when, what and how you move.

It's also critical to understand your regulatory requirements before you start, especially if you want to transition business critical applications. You'll no doubt be dealing with personal customer data, so it's wise to understand your obligations first.

Importantly, security should be integral to your thinking. It needs to be part of the build and development process as you deploy apps and services to the cloud. It can't be an afterthought. Your cloud security mantra needs to be 'secure by design'.

Already in the cloud? Here's how to make it more secure

Making your existing cloud workloads as secure as possible should be a priority. The key here is to constantly refer to what we call the Five Knows of Cyber-Security:

  • Know the value of your data
  • Know who has access to your data
  • Know where your data is
  • Know who is protecting your data
  • Know how well your data is protected.

With this in mind, several factors are vital in an effective data management strategy. Continuous integration, delivery, scanning and monitoring should be part of your approach. You should also understand that cloud security can't be managed in the same way as your on-premises systems.

Always be vigilant

Wherever you are on your cloud journey, eternal vigilance is the price you pay for safety. A major reason is that change can be rapid in a cloud environment, so configurations can alter, or security measures can slip.

In response, you need to continuously review your security policies and practices, and make sure they tie back to business priorities:

  • Review your automation. Re-evaluate the outcomes you want and test that automation and orchestration are doing what they should.
  • Review how security is implemented. You can do this with an architecture review around a specific application or process, but it needs to be done regularly.
  • Understand shared responsibility. Assess and monitor the shared responsibilities between you and your cloud provider.
  • Test your security incident response plan. Ensure you can continue to operate even if you or someone in your supply chain is compromised by a security breach.
  • Check what you're doing works. Have regular reviews that holistically examine your cloud, and can recommend improvements to achieve best practice.
  • Check your blind spots. They're usually revealed after a breach - a lesson learnt. Actively look for potential flaws, and you may be able to prevent them before they occur.

The non-negotiables for cloud security

When it comes to securing your cloud environment, there are few things you can do to help accelerate your cloud adoption. One of them is using security controls from public cloud providers where you can. You can always supplement them if they don’t meet all your objectives.

The rest is up to you. You should ensure you have visibility of your security risks and know your security posture. Then you can identify gaps and put baseline security controls in place like workload protection, access controls, security monitoring and automation.

You also need to be proactive with compliance. Know what cloud providers will cover and what you need to do, then map it all back to your compliance obligations.

The opportunities that cloud offers are certainly worth the risks. But you can minimise the risks if you're prepared to be vigilant, proactive and consistent in your efforts. You don't need massive investment in security; you just have to be brilliant at the basics. 

1Omdia State of Cloud Computing in Australia Q1, 2021.

2Digital Enterprise Services Insights: Global CxO Tech Services Agenda 2021 Mid-Year Update.

Make a real difference Speak to an expert