Increasingly, global organizations are migrating from legacy on-premise infrastructure to the cloud in order to achieve greater business agility and resilience with a modern IT approach. Yet too often, cloud migration and cybersecurity are considered separately, with different teams focused on different phases of what could be a shared process. With cybercrime estimated to cost US$6 trillion annually by the end of this year, cloud migration raises the cybersecurity stakes. At the same time, despite the benefits – and even though “security and data protection” is a number one or two top driver for cloud migration – investment in integrated cloud cyber technology strategies is often lacking. Deloitte & Touche LLP’s 2019 Future of Cyber survey found that 90% of responding organizations spent 10% or less of their cyber budget on cloud migration, software-as-a-service (SaaS), analytics, and machine learning.
Indeed, many organizations are moving fast to migrate to the cloud without paying enough attention upfront to security.
This points to an opportunity for cybersecurity modernization that drives business and technology resilience – wherein cyber can become the differentiator to provide consumer trust. An integrated cloud cyber strategy enables organizations to use security in their transformation in a way that promotes greater consumer trust, especially in today’s digital age.
Achieving this combined approach often requires bringing together cloud and security specialists with shared goals, and a modernization program that balances agility with security and consumer trust requirements.
For organizations looking to enhance business and technology resilience, increase security, and cultivate trust during their cloud migration, a conscious decision to embrace cloud “security by design” can be essential. By pursuing security by design, organizations can benefit from:
- incorporating leading-edge, innovative approaches such as intelligent threat detection
- balancing the need for speed while reducing risk related to technology, insider threats, and the supply chain
- supporting developers and engineers while enabling the business with DevSecOps
- establishing a cyber-forward approach that reinforces business objectives such as security and trust
This article asserts the importance of taking a conscious approach to “security by design” (focused on mission-critical business applications) to guide greater collaboration between cloud and cyber teams and to drive greater agility, security, and trust.
Based on our research, which combines primary data analysis, secondary research, and internal interviews with nine Deloitte executives versed in cloud and cyber strategies, we’ve detailed specific considerations for organizations embarking on the cloud migration journey.
Why it matters: An integrated cloud cyber approach can help build business and technology resilience
Deloitte Global’s fourth annual readiness report survey data, based on responses from 2,260 C-level executives and senior public sector leaders, found that organizations with more mature cloud and cyber technology strategies tend to be more resilient than respondents overall as well as those with only advanced cloud or advanced cyber strategies. Those with a mature cloud and cyber strategy scored the highest when answering questions related to how well their organization is doing using advanced technologies to “become more resilient and agile” (75% versus 53% overall) and “to predict future trends, risks, and threats” (70% versus 49% overall). While a cloud or cyber strategy advances resilience about equally when combined, cloud and cyber are a force multiplier equating to two times resilience/agility compared to organizations with no cloud or cyber strategy (see endnote 5 for detailed analysis methodology). See Appendix: Integrated cloud cyber strategies drive greater business and technology resilience.
Security By Design: Specific Considerations
Ultimately, the cloud and cyber teams should come together managed by a modernization and migration Center of Excellence (CoE) leader (often the digital transformation leader) and enabled by cross-teaming, cross-skilling, and a shared operating model. Once in place, the operating model can be used to guide greater collaboration, coordination, and implementation across controls, and risk management and compliance practices in a way that builds in security at the IT infrastructure layer while promoting the business (and ultimately) the customer experience.
This integrated team may need to collaborate around:
- Initiating the modernization and migration program. This cannot be envisioned in a silo without understanding broader business objectives, and it includes assessing business continuity issues, service-level upgrades, and potential customer impact. It also means understanding the important assets of the organization and protecting them with a cyber-centric strategy. For example, with a major retailer this could be data on product sales and customer preferences.
- Understanding innovative new cloud security technologies and approaches. Leaders should embrace a new operating model that brings together the cloud and cyber teams, taking into consideration the various aspects of modernization including talent operating model, DevSecOps, microservices, and more. The operating model can consider new offerings, implementations, and capabilities from the solution providers (such as cloud native access points) and cybersecurity leading practices (for example, National Institute of Standards and Technology’s cybersecurity framework).
- Determining the enterprise security requirements upfront. It can be critical to make sure requirements are frictionless and baked into the development process, rather than bolted on. Select a platform with the applicable security layers based on enterprise requirements such as risk and regulation. For example, one cloud provider may have more mature, customized industry solutions for the Health Insurance Portability and Accountability Act (HIPAA), which aims to modernize the flow of health care information, versus another cloud provider, or might share data quarterly instead of affecting monthly compliance reporting.
- Identifying who may likely do the work with a shared services model and cloud cyber team structure. Develop conscientious cloud security inclusive of identity access, application-level security, network security, platform security, infrastructure security, and even code-level security. Ideally, this process should understand cloud provider service-level agreements and tap into relevant controls, risk strategies, and regulatory compliance leading practices. Organizations, for example, can set up a CoE with internal cloud and cyber team members as well as external cloud and managed service providers.
A New Cloud Modernization Operating Model For Cloud Security By Design
In many organizations, cyber entities are siloed from the rest of the organization, often with minimal and/or incomplete transparency, which can impede trust. As companies migrate to the cloud, this issue will likely grow – and perhaps the migration itself become more difficult.
This makes security by design by an integrated team more critical. Indeed, evidence suggests this is already happening. Our interviews reveal that the biggest cloud-security shift has been a move away from developers handling security toward a more collaborative model across the technology C-suite. As recently as five years ago, a chief information officer (CIO) could oversee and fund cloud-migration projects, without security involved until the end. Today, there is more coordination among the chief security officer (CSO), chief information security officer (CISO), and CIO, and this collaboration should trickle down into the modernization and migration CoE, allowing ownership to shift clearly across shared operating and responsibility models, from pre-contracting and across the development process.
This conscious, integrated approach can be used to help guide baseline analysis and security requirements during discovery and cloud vendor selection; to determine the shared responsibility model across the integrated CoE team with the cloud vendor; to set up guardrails within the IT infrastructure itself; and to manage DevSecOps processes with the applicable mix of talent and technology in place.
Discovery And Cloud Vendor Selection
Pre-contracting, many cloud vendors expect a minimum baseline of analysis and security configurations that are handled by the client. These differ for each cloud vendor. Cloud teams can benefit from their cyber colleagues’ perspectives to better address these areas during contracting. Post-contracting and during implementation, a joint cloud-cyber team approach can accelerate the team’s ability to understand, assess, and reconfigure the cloud environment. It can also better position and prepare the CIO/CISO to perform the required third-party cloud vendor analysis risk assessments on business operations sustainability. This activity can even be written in the contract as ongoing annual activity for business continuity to avoid a “vendor lock-in” situation.
Additionally, in an ever-evolving cyberthreat landscape, cloud vendors could have insight into new cloud security product developments and implementation considerations and innovations to factor in to the operating model. In 2020, for example,
- The US Air Force created the first accredited cloud-native access point enabling the organization to connect to the cloud directly without a shared access point.
- One hyperscaler introduced confidential computing, which allows organizations to keep data encrypted in memory.
- Organizations used “business process as a service” to scrub confidential or personally identifiable data.
Furthermore, better awareness of compliance reporting requirements when negotiating cloud provider contracts can help to determine that the data will be shared at the frequency required for reporting. To that end, a government organization was looking to report patching data to demonstrate continuous compliance, but data reporting at the frequency needed was not part of the cloud service-level agreement (SLA). To address the issue, it was able to pull source code data and integrate it into a manual reporting process. However, this could potentially have been a smoother process if addressed at the time of contracting. To avoid challenges like this, assess these reporting needs and adjust SLAs or determine alternative reporting solutions.
The Shared Responsibility Model
According to one industry study, 66% of surveyed executives report using cloud providers for baseline security; 73% believe public cloud providers are mainly responsible for securing SaaS solutions; and 42% believe they are responsible for securing infrastructure-as-a-service (IaaS) solutions. Yet, while an organization might lean on the cloud provider for secure data centers and infrastructure, a shared responsibility model gets an organization only so far. It’s still the organization’s responsibility to secure the data and applications in the cloud. An integrated cloud cyber team enables clearer demarcation of where the organization’s responsibility ends and the cloud vendor’s begins (and vice versa) and guides on how to approach ongoing monitoring.
Unlike in an on-premise environment, with cloud, physical infrastructure is rented, and shared operating models may vary based on several contributing factors. For example, 40% of US states are operating in a federated model where the CISO oversees enterprise policy and agencies lead shared services; 10% of US states have a decentralized model where the CIO advises individual state agencies on policy. Such has been the case in the New York City Cyber Command Initiative, where the project’s deputy CISO and the agency’s head of threat management adopted cloud technology to access security data from a government network-connected device in the city.
Cloud Security Innovations On The Rise?
The threat landscape is continuously evolving with malicious actors employing new cyberattack tactics drawing on cryptocurrency mining and ransomware malware, cyber artificial intelligence (AI) strategies that propagate data poisoning, generative adversarial network attacks, and bot manipulation. Staying one step ahead of these attacks will require keeping up to date on the latest cloud cyber innovations. Our analysis of US patents applied for and granted between 2018 and 2020 shows that:
- Over half have focused on core cloud security technology with an emphasis on data encryption, authentication, tokens, control and storage modules, and more.
- There is a growing focus on organizations exploring the use of various advanced technologies such as AI/machine learning (ML), big data, and blockchain to improve cloud security.
- Apart from technological patents, organizations are focused on process engineering related to deployment, monitoring, programming, and provisioning.
While there were approximately 1,500 patents related to cloud security in 2018 and 2019 that number dropped to 500 last year, presumably due to the pandemic. Thus, integrated teams with a solid backbone – operating model, processes, and controls – could be even more critical.
All information on cloud security patents is sourced from Derwent World Patents Index via Quid (https://quid.com). The purpose of the analysis is to identify general themes in cloud security. Deloitte did not review any individual patents in preparing this analysis.
DevSecOps enabled the cloud engineering team to better plan the architecture of the environment and build the cloud infrastructure to enable a secure migration.
Guardrails Within The IT Infrastructure
With security central to the vendor selection and responsibility model creation, the security team now has a strong vantage point to embed security into the cloud migration process by setting up base guardrails and minimum configurations to protect deployment before migration activities begin. For example, workload protection and secure landing zones can create a standard configuration template that is scalable and sustainable for rapid deployment of future applications without the need for reengineering. Given the cloud methodology is meant for Agile and DevOps, an organization without secure DevOps could be undertaking a significant amount of risk, and it could be an additional component to managing development during the migration process.
Manage DevSecOps Processes With The Desired Mix In Place
DevSecOps enables organizations to embed security into their workflow rather than as a bolt-on to development. This allows developers and security professionals to have the shared goals of secure configurations continuously monitored, remediated, and managed for cybersecurity that drives creation of agile, resilient solutions. One insurance company, for example, migrated hundreds of applications to the cloud. DevSecOps enabled the cloud engineering team to better plan the architecture of the environment and build the cloud infrastructure to enable a secure migration. These processes can be further complemented by security automation and orchestration tools to implement structured workflows, automate security tasks, and prevent and detect threats.
- Skills/Talent. Legacy technologies use virtual appliances such as those from firewall vendors to secure systems, whereas cloud technologies require understanding of security configurations. The shift requires a new talent operating model that moves work away from a develop, implement, and deploy framework, followed by security. Shift-left means security is involved upfront to provide baselines and configurations and set up architecture before go-live, reducing the need to be involved afterward. This leads to a very different talent operating and integration model.
- Microservices. As organizations look to modernize legacy applications to create more agile point-to-point services, cloud microservices operating models should consider vendor limitations and vendor portability/interoperability issues. Organizations can consider an agnostic middleware layer or microservices deployment model that helps the client resolve issues such as multi-cloud, as well as issues across enterprise systems.
The Cloud Security Controls Framework
Across the C-level, the move from on-premise to cloud typically requires a security mindset shift – from managing physical infrastructure to monitoring access across a “stateless distributed environment.” Importantly, the controls framework should address network, platform, and infrastructure; user and data security; and core application security.
Network, Platform, And Infrastructure
“Security by design” enables cloud developers and security teams to build guardrails into the infrastructure itself, establishing agile and secure processes. Therefore, before developers gain access to the cloud environment, the CIO and team should consider the leading approach to secure the network. It might be to embed guardrails into the cloud platform itself with “security by design” IT infrastructure, or to put in place restrictive “security by design” IT processes (e.g., authorized users responsible for reviewing infrastructure and source code before pushing to production). Industry-leading practices are moving away from perimeter-based security toward zero-trust network security architectures, which enable more modular developer environments, as well as micro segmentation to allow for varying levels of infrastructure access and controls across the network, identity access, and applications.
As an example of the infrastructure approach, one asset management organization moved from private to public cloud and embedded hundreds of controls into the cloud platform at the code level before giving developers administrative access. These controls served as guardrails, resulting in the successful creation of a safe and compliant development environment.
Alternatively, taking the process approach, another financial services organization removed or highly restricted developer keys to shift access and processes for code deployment. This prompted a major cultural shift for developers who previously had been able to push application changes live more autonomously; the privilege was now restricted to a small group. To reinforce the new protocol, the organization monitored for behaviors that deviated from the new controls process; in particular, one common scenario of developers now unauthorized to push live updates using a virtual machine to bypass the privilege-access management tooling, thereby potentially creating an exposed port. To address this risk, the organization implemented a security orchestration automation and response solution, enabling the company to collect security operations data; built a business case to detect security configuration changes; and orchestrated a custom workflow resolution for reviewing them. This gave the firm required visibility for proactive network monitoring and the ability to close open ports.
User And Data Security
Cloud migration often requires a new approach to identity. While previously physical credentials (e.g., building access) were acceptable authorization, in a distributed system that can be accessed anywhere, user-level access credentials and key management may be required. Identity access management protocols can be fed into a modularized identity platform with user-level access requirements. A focus on data protection, privacy, resilience, and regulations can guide data access rights and user privileges. Executives should plan on balancing legal minimum requirements for encryption against too much encryption, which may slow down applications.
Core Application Security
Before moving data or workloads to the cloud, the cloud and cyber teams should determine that the following minimum controls are in place:
- Workload Protection: set base guardrails and minimum configurations to protect deployment. For instance, an organization may have preset templates for function-based or container-based applications.
- Secure Landing Zone: establish a secure environment covering account structures, security rules, and other foundational services, based on the operating model. For example, many organizations establish a public subnet and a private subnet as a public-facing landing zone versus a private virtual network for corporate users.
- Secure By Design/DevSecOps: follow security by design and DevSecOps principles as discussed with the operating model recommendations.
- Segmentation And Zero Trust: employ network segmentation and zero-trust protocols. For example, the organization can restrict full administrative access to the application to only the senior-most developers with stricter security credentials and training, using containers for tiered access segmentation.
- Attack Surface Management: manage the vulnerability landscape with tailored services to enhance vulnerability and attack surface programs. Organizations can focus on identifying and assessing cloud assets through their life cycle and across different architecture layers. As an example, smart factories can think through data flows across cloud and edge tiers to determine security is in place across the ecosystem.
Risk Management Considerations For The Cloud Cyber Program
Cloud migration can reduce certain infrastructure security risks managed on-premise, with encryption, logging, private networking, monitoring, DDoS protection, automated patches, and other elements built into the cloud environment. However, many migrated systems and applications were not designed to operate online. To avoid disappointment on this front, before the cloud migration begins, organizations can conduct a cyber risk maturity assessment to understand specific technology, regulatory, and insider and supply chain risks as well as recommended remediations.
While some of these may be new territory for a cloud migration team, organizations face a number of potential technology risks to mitigate as part of their cloud cyber programs where an integrated cloud cyber team can help create a more secure, agile, and trustworthy outcome.
Understanding technology risks can be critical – and potentially surprising for organizations that believe their systems to be well protected. One financial institution, for example, conducted a routine scan that found its technology stack had more than 100,000 built-in vulnerabilities, posing a high-security threat and requiring immediate remediation at the application, database, middleware, and code levels. This risk, in part, prompted the cloud migration and is an example of the legacy on-premise platform and applications risk noted in figure 1. Had the cloud migration team opted to lift and shift the infrastructure without an understanding of these vulnerabilities first, the organization could have shifted certain risks to the cloud.
In another example, a consumer goods organization running an outdated operating system had its data center taken over by ransomware when a software patch in the development environment went into production. Legacy security vulnerabilities that may have been somewhat protected by firewalls or perimeter security became exposed when moved to the cloud and weren’t remediated. Had the organization had better orchestration across the cloud and cyber teams, with proper controls in place, this type of incident – which can significantly erode consumer trust – might have been avoided.
Managing technology risk requires a balance of understanding the existing and future technology at its core – a strength of the cloud migration team – and advising on how to desirably mitigate the vulnerabilities with a security approach rooted in leading practices across the four risk categories before the migration occurs and even before the cloud vendor is selected.
When assessing their cloud vendor and before migrating data or workloads, organizations should bring together cloud and cybersecurity teams to consider four essential regulatory compliance requirements that will likely impact downstream data workflows and system configuration, including global and regional data governance regulations, industry-based frameworks, and broader technology standards, as well as US government-specific regulations.
A large global multinational organization doing work in the public and private sectors may have to contend with a larger number of data and technology regulations, while a smaller organization may still need to consider some combination of data, industry-specific, and regional regulations while devising its cloud data strategy and subsequent risk controls. However, even “smaller organizations” can still be subject to broader regulations across borders due to globalization of data.
A regulatory risk requirement review performed by a collaborative cloud and cyber team can enhance understanding of existing data frameworks, relevant risks, and required technology specifications to improve cloud vendor selection, SLA negotiations, and contracting.
Insider And Supply Chain Risk
Finally, a cloud cyber risk program should consider insider threats and the organization’s supply chain as specific threat vectors to balance security and trust inside and outside the organization and to avoid potential data leaks and spillage. Where the cloud migration activity could collide with insider risk is through sharing credentialed access or creating an open network access point. Cloud access security brokers that monitor for data loss and enforce controls across a multi-cloud environment are on the rise. They can help organizations to better manage internal threats and monitor for data loss prevention, which about 75% of organizations indicate to be an important element of cloud security.
Managing cyber risk requires organizations to look inward and outward at different insider risks and potential points of vulnerability across their supply chains. This can be achieved by an integrated cloud and cyber team, with visibility and transparency, communication, and collaboration and execution of an integrated compliance program (and tooling) across the supply chain. For more on this topic, see Deloitte Consulting LLP’s Looking beyond the horizon: Preparing today’s supply chains to thrive in uncertainty.
Cloud Program Scenarios
Finally, the type of cloud program itself will impact the operating model and subsequent program. The following graphic details four common cloud program scenarios and high-, medium-, and low-complexity considerations for the integrated cloud and cyber team.
Conclusion: Getting Started
Cloud developers can’t be expected to become security specialists overnight, or to stay on top of the evolving threat landscape. They can, however, embrace working on integrated cloud and cyber teams that bring target operating model, shift-left mentality, microservices, risk, control, and compliance experience to bear during integral points in the cloud migration life cycle and with “security by design” principles. For these teams, here are a few parting thoughts to consider that can help guide the cloud modernization and migration journey, bolster business and technology resilience, enhance security, and reinforce customer trust:
- Develop a modernization operating model that brings together innovative new approaches and technologies. Include new talent models, DevSecOps, and microservices and consider precontracting responsibilities and breakdown of roles and responsibilities across a shared responsibility model. A cloud provider’s investment in security may be better than your security at present.
- Develop a controls framework that allows you to lever up with a more integrated cloud and cyber approach. The process of migration provides an opportunity and necessity to rethink security models, tools, and capabilities. The cloud controls framework should start with an understanding of the data requirements and encompass user/identity level, network/infrastructure/application, and core application controls. Organizations can conduct a risk assessment across their technology, regulatory, and cyber environment; implement the appropriate controls to fill gaps and remediate those risks; and migrate workloads to secure cloud landing zones.
- Manage compliance with innovative approaches. There continues to be new and innovative processes and approaches available to automate and ease the burden of modern compliance monitoring. Stay informed of the latest tools and processes.
By bringing together each of these components through a cloud migration CoE that includes an integrated team of cross-skilled cloud and cyber professionals, organizations can be better positioned to address the need for a broad “life cycle” to prioritize security risk levels and mitigate those risks with the proper governance, risk management, and compliance across these security components. Ultimately, the cloud migration provides an opportunity for not just greater business and technology resilience but also potentially improved security and enhanced consumer trust.
Appendix: Integrated Cloud Cyber Strategies Drive Greater Business And Technology Resilience
originally posted on deloitte.com by Deborah Golden, Vikram Kunchala, Bhavin Barot, Amod Bavare, Ritesh Bagayat, Diana Kearns-Manolatos and Jay Parekh
Deborah Golden: Principal | Deloitte Risk & Financial Advisory
Deborah Golden, a principal at Deloitte & Touche LLP, is the US Cyber & Strategic Risk leader for Deloitte Risk & Financial Advisory. She has more than 25 years of cross-industry experience, focused predominantly within government, life sciences and health care, and financial services industries. Golden primarily helps commercial organizations and government agencies navigate multifaceted cyber problems and transform business or mission strategies and operations. Recognizing the ubiquitous, sophisticated nature of cyber, she uses a values-driven approach to help clients align cybersecurity imperatives with cyber risk and strategic business priorities to strengthen cyber resilience.
Vikram Kunchala: Principal | Deloitte & Touche LLP’s Cyber Risk Services Practice
Vikram is a principal in Deloitte & Touche LLP’s Cyber Risk Services practice and is the US Application Security solution leader. Vikram has over 21 years of experience in design and implementation of cyber security solutions and cyber risk management programs. His areas of expertise include Application Security, Identity and Access Management, and Cyber Threat and Vulnerability Management. He has extensive experience in helping technical and business organizations achieve strategic and tactical objectives. Vikram has successfully managed and led teams to deploy enterprise security solutions at Global 2000 corporations. Vikram helped drive customer strategy and vision by combining business acumen and technical skills with strong leadership and keen understanding of business processes, solutions and change management. Experience also includes work in, e-commerce, systems management software, and various aspects of the supply chain market space, with strong background in Middleware. Industry background includes Consumer, Energy and Resources and Telecommunications.
Bhavin Barot: Principal | Deloitte Advisory’s Cyber Practice
Bhavin Barot is a principal in Deloitte Advisory’s Cyber practice with over twenty years of experience in assisting clients enhance their cyber program, meet security standards, and maintain continuous compliance. His focus is on application security, business process controls, and information technology controls design & implementation. He has led numerous strategic project initiatives encompassing IT security and risk management strategy, governance, cybersecurity, identity management, technology and organizational resiliency, and service management in addition to several large global risk and security transformation projects.
Amod Bavare: Principal | Application Modernization & Migration GTM Leader
Amod Bavare is a principal with Deloitte Consulting LLP and leads the go-to-market for the Application Modernization & Migration practice within the Application Modernization & Innovation offering. With more than 27 years of IT industry experience, Amod specializes in renovating architecture and migrating complex enterprise applications to the cloud, essentially helping to create value by modernizing clients’ legacy systems. His ability to lead organizations through digital transformation journeys is the reason he emerged as a leader in application modernization. Application Modernization & Migration solves business & financial challenges with its holistic multi-solution modernization and migration approach. Deep insight combined with pod-based delivery leveraging cloud technologies enables an accelerated, highly-automated, low-risk, approach for all technology.
Ritesh Bagayat: Senior Manager| Deloitte Advisory’s Cyber Practice
Ritesh Bagayat is a senior manager in Deloitte’s Advisory’s Cyber practice where he draws on experience in risk consulting, cloud technology, and database administration on high impact business applications to advise clients. He holds a bachelor’s degree in Mechanical Engineering from the National Institute of Technology, Calicut and a master’s degree in Management Information Systems from Texas A&M University’s Mays Business School and is CISA and CISSP certified.
Diana Kearns-Manolatos: Senior Manager | Deloitte Center For Integrated Research
Diana Kearns-Manolatos is a senior manager in the Deloitte Center for Integrated Research where she analyzes market shifts and emerging trends across industries. Her research focuses on cloud and the future of workforce. Additionally, Kearns-Manolatos draws on almost 15 years of award-winning marketing communications expertise to align insights with business strategy. She speaks on technology and women in leadership and holds a bachelor’s and master’s degrees from Fordham University.
Jay Parekh: Senior Analyst | Deloitte Center For Integrated Research
Jay Parekh is a senior analyst with the Deloitte Center for Integrated Research. He has over six years of experience in research and analysis focused on emerging technologies and digital innovations related to cloud computing, augmented & virtual reality, the Internet of Things (IoT), and other advanced technologies. He also focuses on developing Deloitte’s perspectives on cross-industry topics such as climate change and sustainability. He specializes in applying quantitative and qualitative research techniques to enable data-driven insights.