Announcing March's Cloud Security Champion
Congratulations to Evgeniya Basheva, Security Compliance Lead EMEA, Salesforce for being selected as techUK’s ‘Cloud Security Champion’ for the month of March.
The purpose of techUK’s Cloud Security Champion campaign is to celebrate the work of UK cloud security specialists in helping build a culture of trust and confidence in cloud computing and showcase how they are supporting organisations to adopt, deploy and use cloud services securely. This is also an opportunity to learn from those working in cloud security about the current threat landscape and examples of the strides being made in enhancing security.
A new techUK 'Cloud Security Champion’ will be chosen every month, so if you would like to nominate a friend or colleague to be the next Champion please drop us a line. You can read our interview with Evgeniya below.
What are your current responsibilities and what does a typical day involve at Salesforce?
My responsibilities include the identification and analysis of national and regional security compliance frameworks for the Public Sector across EMEA. I also work on building compliance strategies for entering into new markets and providing cybersecurity advisory services for Salesforce positioning on new and changing laws and regulations within the EMEA region.
Salesforce is a dynamic company where our daily activities change at speed to meet the business objectives while ensuring that we maintain our core value of Trust for our customers, partners, employees and the Salesforce community.
What do you most enjoy about your work?
At Salesforce, we believe that business is the world’s greatest platform for change. We use our technology, people, and influence to improve the state of the world. We maintain a rich ecosystem of impact through our 1-1-1 model and delivered via programmes on Sustainability, Ethical and Human Use, Public Policy, Equality and more. Knowing that my work contributes to the wider good of our communities makes my work enjoyable every day.
Why is cloud important to the UK's economic growth and what does the future hold for adoption and maturity of cloud in the UK?
January 2021 marked a new chapter in UK history. In order for our country to recover from the economic downturn caused by the Covid-19 pandemic, the UK business and Public Sector have to become more responsive and agile to meeting the needs of customers locally and globally. Cloud computing offers the scalability, agility and speed we need to power the UK’s growth in a sustainable way and meet its global trade expansion objectives.
Our country is in a great position to be at the forefront of innovation and digital adoption, and is already home to many of the world’s leading tech companies. Fortunately, the UK is also one of the world’s top leaders in digital maturity (Infosys Digital Radar 2020). I strongly believe that the UK will be the forerunner of a sustainable tech-led recovery based on cloud services in the near future.
Would you agree that the conversation about cloud security has shifted and cloud users increasingly recognise the security benefits of cloud services?
Absolutely! Not long ago, sectors such as financial services and healthcare were extremely hesitant of moving their sensitive systems and data to the cloud. Today most companies maintain hybrid cloud systems and transition away from the traditional IT infrastructure, which are costly and do not keep pace with security and innovation.
What are the key security concerns affecting greater cloud adoption and how can these issues be addressed?
Some of the key security concerns are data residency & data transfers, access to data, supply chain security risk and vendor lock-in.
The EU GDPR has introduced data protection requirements that were incorporated in the UK by the UK Data Act 2018, requiring companies to take steps to ensure data is protected from the way data is hosted, transferred across geographies and processed. Companies must follow a risk-based approach to define their data residency, data transfers, and processing needs.
Cloud services are about shared responsibilities between the service providers and customers. Companies adopting cloud services must take the accountability of securing their cloud solutions. For instance for any SaaS, they must implement robust access control and multi-factor authentication of their users, secure configuration of the solutions using the cloud service providers guidelines; encrypting of data; integration with the company logging, monitoring and incident management processes. The customer responsibilities will expand further for PaaS and IaaS where they will need to consider secure coding, vulnerability management and patching, and more.
To ensure adequate steps are taken to protect their data, companies should complete security due diligence of the cloud service providers to understand the risk criticality. These risk assessments can expose threats such as supply chain security breaches. Ensuring that the service providers have a well defined and implemented information security management system (e.g. ISO27001, Cyber Essentials Plus) and other industry best practices at a minimum is a MUST.
It is important that all cloud service customers ensure that the services they adopt are not subject to vendor lock-in and the services can be transitioned to an alternative service provider if needed.
What steps should organisations take to adapt their cloud security posture to the rapidly changing online environment?
Staying aware of what is driving one’s business and what is relevant to their customers is the first rule in building a successful organization in a fast paced online environment. Companies should maintain flexible business strategies while also keeping effective cloud security practices and the trust of their customers. This can be achieved through the retainment of a roadmap which can easily adapt and align with the continuously changing security and threat landscape, new and updated regulatory requirements, and evolving customer needs. Some steps to enable the security resilience could include automation, deep analytics and zero trust architecture. By reducing the human involvement and consequently human errors while enhancing the human cyber security awareness - employees and customers alike - it would ideally reduce the percentage of security breaches we witness on a daily basis.
How can the cloud market equip organisations with the understanding, skills and knowledge to make the right cloud decisions for now and for the future?
The cloud market is becoming more competitive and challenging for organizations looking to adopt cloud services. It is vital for the cloud service providers to enable UK businesses by being forthcoming about their security and data protection practices as well as by offering clear guidance on the shared responsibilities with the cloud customers. A local industry framework which can help SMEs to distinguish among services based on their business, security and data protection needs could be very impactful.
Building trust and confidence in the security of cloud computing services remains fundamental to the continued use of cloud services by organisations. What would you suggest is the one thing all companies should do to improve their cloud security?
The one thing cloud service providers can do is to be transparent - provide their customers with the information they need, e.g. independent security reports, documentation for securing the services, regular advice on how to improve the security of the customer implementations, real-time notifications for security incidents. Salesforce customers can review the security status of their instances on http://www.salesforce.trust.com at any time, access the latest compliance reports and penetration test reports on the compliance portal, and use the implementation guidelines on how to securely configure their Salesforce solutions.
How can the cloud and cyber industry encourage someone considering a career focussed on these technologies?
There are multiple channels which can be employed from apprenticeships and internships to mentorship programs to develop the aspiring cybersecurity experts of tomorrow. For instance, at Salesforce we have partnered with the World Economic Forum to deliver a Cybersecurity Learning Hub which is on Trailhead, the free online Salesforce learning platform that empowers anyone to up skill for the future and learn in-demand skills that can lead to a career in the tech sector