A few key takeaways that are critical to protecting business outcomes for today’s modern enterprises.

As companies continue to embrace the cloud, security threats have become more advanced as the digital landscape evolves. Understanding security needs and requirements for keeping data safe is paramount. Without taking active steps to improve cloud security, organizations can face significant governance and compliance risks when managing sensitive information, regardless of where it is stored. Cloud security should be an important consideration regardless of the size of your enterprise, and cloud security solutions and best practices are a necessity when helping ensure business resilience.

As part of IBM Cloud’s partnership with the Cloud Security Alliance (CSA), I recently had the opportunity to participate as a panel member in two CSA Regional events that were designed to bring cloud cybersecurity professionals together to share case studies, lessons learned and new technologies that promote secure implementation of cloud computing. The following are key takeaways critical to protecting business outcomes for today’s modern enterprises.

Organizations need to have a comprehensive cloud strategy to be successful

More and more, institutions are adopting hybrid multicloud approaches to their IT infrastructures, driven by increased flexibility, cost reduction and improved capabilities. In the early days of cloud computing, lift-and-shift migration was seen as a viable option, but as cloud architectures and solutions have evolved, the value of migrating an application “as is” has lowered drastically. Now, lift and shift should only be used when absolutely necessary to migrate to the cloud, because it often causes long-term issues. In today’s layered and complex environments, thinking strategically in terms of a hybrid multicloud approach is a key part of digital transformation.

In a recent CSA study, only 25% of organizations said they have a hybrid multicloud approach, even though the reality is most organizations utilizing third- and fourth-party providers are already operating on some form of hybrid multicloud. Many organizations lack visibility into third-party situations; your IT teams may not be the only ones making the choice of where SaaS solutions are based due to lack of clarity around the true scope of the technology environment.

Automation is necessary to maintain security and compliance

The scalability and continual change in cloud environments mean that manual efforts are expensive and infeasible, especially for highly regulated industries like the financial sector. In order to mitigate these difficulties, organizations should look into the concept of policy-as-code to help define and automate the rules and conditions that govern IT processes.

IBM Cloud for Financial Services is an example of policy-as-code in action, providing a single framework of controls that applies across the entire ecosystem tailored to the unique requirements of the financial services industry. This includes IBM Cloud services, financial institution (FI) clients and third-party Fintechs and SaaS providers. The reference architectures have the controls built into scripts so they are automatically applied to new workloads, creating secure landing zones that reduce the potential risk of misconfigurations. FIs are also able to continuously monitor the security and compliance posture of their cloud services and partner applications and services with the IBM Cloud Security and Compliance Center. With these capabilities, IBM Cloud for Financial Services creates a standardized set of security and compliance controls that are automatically applied and monitored in real-time.

Zero trust is a key part of ensuring your data and workloads are secure in the cloud

Rapid digitization and the move to hybrid multicloud have spread users, data and resources across the globe, making it difficult to connect them quickly and securely. When dealing with on-premises data centers, there was a clear perimeter to assess and enforce the trustworthiness of connections, but this current ecosystem requires a different approach. Organizations are turning to zero trust to ensure all data and resources are inaccessible by default and can only be accessed on a limited basis and under the right circumstances.

But what exactly is zero trust? Zero trust is not a single “tool” you can buy; rather, it is a holistic approach to integrate traditionally siloed security tools to define, create and enforce fine-grained connections between the users, data and resources in today’s business environments. There are four guiding principles to keep in mind to ensure zero trust success:

1. Define trust: Understand users, data and resources to create coordinated security policies aligned with the business.
2. Verify and enforce trust: Secure the organization and grant conditional access without friction by quickly and consistently validating context and enforcing policies.
3. Rebuild trust: Resolve security violations with minimal impact to business by taking targeted actions.
4. Analyze and improve trust: Continually improve security posture by adjusting policies and practices to make faster, more informed decisions.

Enacting zero trust in your organization through the lens of these principles and tailored capabilities will help keep your users, data and resources connected securely and your business operating smoothly. 

Incident response preparedness is crucial

Although the goal is always to keep bad actors away from sensitive data and workloads, no security strategy is 100% watertight. As businesses and industries quickly modernize, the cost of security breaches and risk of attack vectors have gone up exponentially. Any organization — big or small — must be prepared to respond to possible incidents. What your security and technology teams need to do may be similar to on-prem attacks, but how they do it may be different when dealing with complex cloud environments.

Train your teams — there’s a reason that the military spends so much time and effort conducting exercises. You don’t want the first time you have to do something to be in the middle of a crisis. It is important to stress test your incident response (IR) plans to increase your cyber resilience. There are many ways organizations can approach forming IR teams and strategies, from engaging non-profits like CSA to working with IR firms like IBM’s X-Force team. Creating the right approach depends on the unique size, complexity and regulatory requirements of your organization.

Start your cloud security journey with IBM

By adhering to these key considerations into your cloud security strategy, organizations can achieve a more effective and holistic approach to cloud security, ultimately allowing greater focus on business outcomes and innovation. Industry events like these regional Cloud Security Alliance summits are excellent opportunities to get perspectives across the cybersecurity, technology and cloud disciplines and to increase our collective learning of what helps create secure, risk-managed cloud environments.  This helps enable organizations across numerous industries to accelerate their digital transformation in a secure and compliant manner. IBM has had a long-standing relationship with the Cloud Security Alliance, and we continue to prioritize the safety and security of the cloud space as capabilities and technologies evolve.

IBM Cloud provides end-to-end security capabilities and customizable solutions to help manage your data, all backed by expert support. IBM Cloud for Financial Institutions, a first-of-its-kind public cloud developed for the industry, has specific security and controls capabilities required to help clients reduce risk and accelerate cloud adoption, for even their most sensitive workloads.

For more information:

• Learn more about the Cloud Security Alliance
• Learn more about IBM Cloud for Financial Services
• Learn more about IBM Cloud Security