Introducing January's Cloud Security Champion
The purpose of techUK’s Cloud Security Champion campaign is to celebrate the work of UK cloud security specialists in helping build a culture of trust and confidence in cloud computing and showcase how they are supporting organisations to adopt, deploy and use cloud services securely. This is also an opportunity to learn from those working in cloud security about the current threat landscape and examples of the strides being made in enhancing security.
A new techUK 'Cloud Security Champion’ will be chosen every month, so if you would like to nominate a friend or colleague to be the next Champion please drop us a line.
Accenture have recently released their Secure Cloud POV which you can read here.
What are your current responsibilities as Cloud Security Lead and what does a typical day involve?
The only thing constant or typical in my role is change. My days are dynamic and usually split between project delivery, business and people development. As you can imagine, the clients we work with are at various stages of their cloud journey meaning the cloud security work my team and I are involved in ranges from planning and designing cloud security strategies to defining security design patterns and architectures, as well as hands on cloud platform configurations and managing the security aspects of a customer’s cloud environment.
What do you most enjoy about your work?
Cloud technologies are constantly evolving, the constant learning and working with customers to solve their most pressing security challenges with some of the best, brightest and diverse colleagues.
Why is cloud important to UK’s economic growth and what does the future hold for adoption and maturity of cloud in the UK?
Many businesses have been drawn to the efficiency, elasticity and innovation of the cloud. But 2020 stands out as the year when organisations, across all industries, had a powerful and direct reminder of the importance of systems resilience, agility, adaptability and scalability. 2020 has proven to be a defining moment for public cloud in the UK, especially as the pandemic has brought digital transformation forwards by two-three years. In terms of economic growth, the most agile businesses in the UK that embraced cloud technologies quickly and securely were able to leverage new and creative digital channels, in order to reach more customers and not only just survive but thrive.
At present, UK businesses are embracing the cloud at pace, however, compliance and regulation still seems to be getting in the way of larger institutions racing towards a “cloud-first” approach.
Looking ahead to 2021 and beyond, we will see UK businesses continue to build on this momentum by fine-tuning their cloud adoption strategies, modernisation initiatives and up-skilling their workforce. The latter is a point I’d like to reiterate - UK businesses that leverage cloud technologies to enable a remote workforce, e.g. cloud contact centres, secure access service edge (SASE) etc. will be able to tap into new talent pools of technologists across the UK in order to accelerate digital transformation, in turn, creating better products and services.
Would you agree that the conversation about cloud security has shifted and cloud users increasingly recognise the security benefits of cloud services?
Organisations need to prioritise a “cloud first” approach to enable their companies to transform with agility at scale. As its name suggests, every new instance of public cloud could be a security storm. Security is often seen as the biggest inhibitor to a cloud-first journey—but in reality, it can be its greatest accelerator. The cloud security conversations have certainly shifted in line with the amount of increasing security spend by the cloud service providers (CSP). It’s not uncommon to see the major cloud service providers make public statements on security investments north of $1bn+; this in turn instils a sense of confidence by consumers, especially those in highly regulated industries such as financial services in the UK.
The key point is that although the major CSPs are investing heavily in the security of their respective platforms, it’s even more important that consumers fully understand the shared responsibility model as cloud misconfiguration is still the #1 risk in the cloud.
What are the key security concerns affecting greater cloud adoption and how can these issues be addressed?
There are four key cloud security concerns. The first is achieving full visibility and understanding the risk(s) in your multi-cloud environment – this can be addressed by cloud security posture management (CSPM) tools and processes.
Secondly, we’re seeing compliance and regulation as being a barrier to adoption – this can be addressed by CISOs and compliance functions being able to communicate a transparent governance risk framework, along with close monitoring and automating the remediation of anomalies to maintain compliance.
The third area is around finding and retaining the right security talent. Automation helps with talent shortages, but organisations need to be more creative when it comes to ensuring the right skills are in place. Constant and consistent upskilling is required in order for teams to develop the right mindset, behaviours and culture when operating a secure cloud environment.
Lastly, and most importantly, cloud misconfiguration is still the #1 risk in the cloud – this can be addressed in several ways, a few of which include complete visibility of your cloud environment, invest in upskilling your workforce and implement policy as code to automate preventative and detective controls where possible, e.g. IaC scanning, CSPM and cloud workload protection platforms (CWPP) etc.
What steps should organisations take to adapt their cloud security posture to the rapidly changing online environment?
In agile and dynamic cloud environments, it’s important to follow the following steps in order to improve cloud security posture:
- Adapt your security policies to be more cloud centric;
- Adapt your operating model to incorporate new roles/skills, automated processes and tools required to secure your cloud environment(s);
- Adapt your DevOps culture and framework to embed security from the start, introduce policy as code as much as possible
How can the cloud market equip organisations with the understanding, skills and knowledge to make the right cloud decisions for now and for the future?
The best way is through education - less theory and more hands-on keyboards. Sometimes the marketing, or marketecture as I like to candidly call it, can get in the way of truly understating the benefits of the cloud and how it fundamentally works. Education of cloud adoption is a two-way street: CSPs need to educate consumers on the technology and it’s equally important that consumers educate CSPs on the industry so CSPs can make their products and services more fit for purpose.
Building trust and confidence in the security of cloud computing services remains fundamental to the continued use of cloud services by organisations. What would you suggest is the one thing all companies should do to improve their cloud security?
Identity, identity, identity! When it comes to protecting users and data in the cloud, it’s absolutely critical your organisation gets identity access management right. Think of identity as the new perimeter in a cloud environment, which is actually a paradigm shift away from the traditional, on-premise network security trust model.
How can the cloud industry encourage someone considering a career focussed on cloud?
There has never been a better time for a career in cloud technology and it’s also an area where you don’t need over a decade of experience to start. That said, the cloud industry can encourage and accelerate careers in cloud via free digital training, gamification of courses, mentorship programmes, free testing playgrounds as well as compelling rewards to incentivise the most eager learners.
Accenture have recently released their Secure Cloud POV which you can read here.
Laura Foster
Laura is techUK’s Head of Programme for Technology and Innovation.
