Start off with these five basic concepts to improve the outcomes of your cloud security program.

Organizations undertaking the massive move to cloud face a blizzard of sometimes confusing buzzwords. There’s hybrid cloud, multicloud, digital transformation, microservices and so much more. While these terms can be confusing, the key element to keep in mind is that security should be an inherent part of business-level strategy and discussion for any successful cloud migration.

The importance of addressing key security and compliance needs weighs heavily on many organizations, as only 42 percent of respondents in one survey believe they have effective cloud security. [1] And it’s a very valid concern, as an estimated 990 million cloud servers are misconfigured. [2]

In addition to cloud misconfigurations, some of the most top-of-mind hybrid multicloud concerns include the following:

  • Establishment of a cloud-ready security strategy
  • Lack of experience and expertise coupled with growing skill requirements
  • Need to address compliance requirements
  • Centralized visibility and threat management
  • An overload of new tools and technologies
  • Maintaining security policies across the private/public landscape

Having so many issues to consider at once can be difficult to address effectively. To save time and become more productive, start off with these five basic concepts that should improve the outcomes of your cloud security program.

1. Cloud governance and strategy

At the heart of every successful cloud security program is a well-defined strategy. This means including the following criteria:

  • Establishing a security baseline for your cloud environments
  • Understanding where and what your critical data is, and who has access to it
  • Defining your security, compliance and industry or regulatory requirements
  • Rationalizing on the right set of controls to meet these requirements
  • Building a target state and roadmap from which to execute

2. Cloud native security

You may, at some point, consider whether native security controls from your cloud service provider (CSP) are viable or adequate enough to manage security for your environment. CSPs have varying sets of security controls baked into their cloud platforms. They can provide many advantages, including a limit on the number of third-party licenses you’re managing, flexible consumption, ease of integration and more.

However, a cloud native security approach doesn’t come without some considerations:

  • Do the native controls have the right level of maturity or provide the right level of visibility to meet your compliance requirements?
  • Which cloud native controls make the most sense for your hybrid multicloud environment? 
  • Do I have the right skills to manage a new and rapidly growing set of security technologies?
  • How do I properly design, implement and configure these controls and integrate them into the rest of your security operations?
  • What do I do with all this new cloud security data and telemetry, and what decisions or actions can I take from it?

Once you’ve rationalized the native security controls that are right for you, effectively managing those controls and policies requires first ensuring you have the right architecture and policies in place within the controls to support your business and regulatory requirements. And you should also have a strong governance layer that allows you to understand and turn your cloud native telemetry and alerts into actionable, prioritized decision-making. 

3. Cloud security posture management

Having the right configuration and continuous compliance of your cloud environments is vital for your security program, but complex to oversee. You may have multiple teams or lines of business using your cloud services and migrating applications while having to comply constantly with global standards from organizations like the Center for Internet Security (CIS). Complicating your situation is an inability to get cloud context and correlation fast enough to help in detecting and responding to security threats.

Use cloud security posture management to address these complications and achieve the following goals:

  • Monitor a real-time cloud asset inventory continuously for compliance and audit purposes and reporting against regulatory requirements
  • Prevent breaches by agile detection and response to cloud misconfiguration.
  • Continuous hardening of the security and compliance posture
  • Embed security insights and automation for cloud anomalies

4. Cloud workload and container security

Your application container environment may face security complexity and visibility challenges, limited testing time during rapid scaling and delivery, increased traffic and threats of container compromise. The following phases of container environments are major risks that can act as threat vectors:

  • Image creation, testing and accreditation
  • Registry for image storage
  • Orchestrator for retrieval
  • Container for deployment
  • Host operating system for management

Fortunately, coverage exists to secure container workloads for a hybrid multicloud environment. Following a thorough assessment and strategy, you need to consider integration services, design and implementation as well as on-going management for all phases of your container lifecycle. When those capabilities are in place, you have the following benefits for Red Hat OpenShift, Kubernetes, Docker and other container platforms:

  • Augmented security posture on existing cloud container services
  • Managed security services spread across hybrid cloud environments
  • Help to achieve compliance mandates on container environments
  • Single pane of glass to manage all security functionalities

5. DevSecOps and application security

Development teams focus primarily on producing new applications and functionality for consumers as quickly as possible. Operations teams work on ensuring a responsive and stable system. To meet the increasing demand in cloud for rapid innovation, Development and Operations integrated to foster collaboration and balance between development and quality.

Security strives to make sure that those quality, rapid deployments are free of vulnerabilities and comply with regulatory and corporate requirements. 

To most effectively meet the critical objectives of these three teams, consider a culture shift to DevSecOps methodologies. DevSecOps is the consolidated set of practices that represents a combination of culture, process and technology for its practitioners.

By adding DevSecOps and secure development practices into your workloads, you can benefit from the following:  

  • A culture with an agile, lean and continuous feedback mindset that aligns with security strategy, risk, governance and compliance
  • Automation for every process everywhere for speed, reliability and security, all while using modern tools
  • More opportunities to encourage innovation as the feedback loop and collaboration leads to increasing autonomy and secure deployments

How to get these must-haves

IBM Security Services is ready to help you learn more about these cloud security solutions and incorporate them into your enterprise as you make the journey to the cloud. Register for a webinar on how to “Accelerate your digital transformation with modern cloud security” on April 1, 2021.

The right approach can help you reimagine and modernize hybrid multicloud security.

This post was originally published on Security Intelligence.

[1] Institute for Business Value Cloud Security Study 2021, IBM, 2021.

[2] X-Force Threat Intelligence Index 2019, IBM, 2019.

More from Cloud

Strengthening cybersecurity in life sciences with IBM and AWS

7 min read - Cloud is transforming the way life sciences organizations are doing business. Cloud computing offers the potential to redefine and personalize customer relationships, transform and optimize operations, improve governance and transparency, and expand business agility and capability. Leading life science companies are leveraging cloud for innovation around operational, revenue and business models. According to a report on mapping the cloud maturity curve from the EIU, 48% of industry executives said cloud has improved data access, analysis and utilization, 45% say cloud…

7 min read

Kubernetes version 1.27 now available in IBM Cloud Kubernetes Service

< 1 min read - We are excited to announce the availability of Kubernetes version 1.27 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 22nd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.25 (soon to be 1.26); you can also choose to immediately deploy version 1.27. Learn more about deploying clusters here. Kubernetes version 1.27 In…

< 1 min read

Redefining the consumer experience: Diageo partners with SAP and IBM on global digital transformation

3 min read - In an era of evolving consumer preferences and economic uncertainties, the beverage industry stands as a vibrant reflection of changing trends and shifting priorities. Despite the challenges posed by inflation and the cost-of-living crisis, a dichotomy has emerged in consumer behavior, where individuals untouched by the crisis continue to indulge in their favorite beverages, while those directly affected pivot towards more affordable luxuries, such as a bottle of something special. This intriguing juxtaposition highlights the resilient nature of consumers and…

3 min read

IBM Cloud releases 2023 IBM Cloud for Financial Services Agreed-Upon Procedures (AUP) Report

2 min read - IBM Cloud completed its 2023 independent review of IBM Cloud services and processes. The review report demonstrates to its clients, partners and other interested parties that IBM Cloud services have implemented and adhere to the technical, administrative and physical control requirements of IBM Cloud Framework for Financial Services. What is the IBM Cloud Framework for Financial Services? IBM Cloud for Financial Services® is designed to build trust and enable a transparent public cloud ecosystem with features for security, compliance and…

2 min read