Oct 25, 2019 Five Steps to Cybersecurity for the Cloud-Enabled Organization
If your organization is moving to cloud, you’re not alone. In our most recent Cloud and Cybersecurity research study, we note that 2019 is “the year of cloud”. Specifically, 56% of workloads are now in cloud, versus 44% on prem, either within data centers, or in branch offices. By “in cloud”, we mean placing workloads in SaaS (27% of all workloads) or IaaS/PaaS(29% of all workloads). That’s great news for organizations seeking the agility and flexibility of cloud-based services.
It’s not such great news for cybersecurity professionals, however. We’ve also documented that a move to IaaS/PaaS in particular correlates with a 60% increase in MTTC (mean total time to contain) cybersecurity incidents. In other words, moving to cloud can be bad for your cybersecurity health.
The operative word here is “can”. Moving to cloud can be, but need not be, a negative move from a cybersecurity perspective. Cybersecurity professionals can take several organizational and procedural steps to ensure that their cybersecurity operations remain effective during a move to cloud.
Step 1: Appoint a cloud cybersecurity specialist (or team). Organizations with cloud cybersecurity specialists have 42% lower MTTCs than those without (105 minutes versus 180 minutes. Where this human (or team) should be in the org structure is a bit more murky; successful organizations (those with an MTTC of 20 minutes or less) are more likely to have this human (or team) in the cybersecurity organization, yet having the person or team within the cloud organization provides the biggest “bang for the buck” in terms of improving MTTC for less-elite organizations. The bottom line: Have one or more cloud security specialists; where they’re located organizationally is a second-order concern.
Step 2: Make sure to budget for specifically enhancing cloud cybersecurity. Organizations with a cloud cybersecurity budget see a 57% reduction in MTTC (from 210 minutes to 90 minutes.) Better still, have two budgets: Organizations with line items in both the cloud and cybersecurity budgets see a whopping 80% reduction in MTTC (from 180 to 36 minutes.)
Step 3: Have a cloud cybersecurity architecture. You’re probably getting the picture about now, but organizations with a cloud cybersecurity architecture see a 75% reduction in MTTC (from 360 to 90 minutes.) It can live either within the cloud or the cybersecurity organization (data is murky on which one is better) but the important thing is to have only a single architecture; unlike the case with budgets, more isn’t better.
Step 4: Revise your incident-response policy (IRP) to explicitly address cloud issues. Most IRPs, including those based on frameworks such as NIST, are designed with a premeses-centric point of view. For instance, the NIST IRP framework discusses “advising the server owner of an incident”, without ever explicitly acknowledging that in a PaaS environment, the “server owner” is likely to be Amazon or Microsoft. Cybersecurity professionals need to rethink how they’re responding to incidents. That includes defining when and how to engage cloud providers in the process. Which brings us to…
Step 5: Have a third-party risk management (TPRM) specialist. The presence of a TPRM specialist reduces MTTC by 50% (from 180 to 90 minutes.) The TPRM should focus specifically on how to engage with third parties (including but not limited to cloud providers) in the most efficient ways.
Obviously, people and process are only 2/3 of the equation; the other 1/3 is adopting and deploying the appropriate technology. We’ve discussed critical cloud cybersecurity technology in this webinar and will be talking more about it in this webinar. But people and process provide a great start!