9 Questions for IT Leaders to Ask About Cloud Cybersecurity

Rapid migration to the cloud continues, but the benefits of a cloud strategy must be balanced with cybersecurity. How can IT leaders assess their organizations’ cloud security posture?

Carrie Pallardy, Contributing Reporter

April 26, 2023

8 Min Read
Cloud security concept as a three-dimensional lock providing protection to a group of gears
Brain light via Alamy Stock

Companies are increasingly leveraging cloud-based services to do business, driven by the benefits of efficiency and scalability. But rapid cloud migration is not without its challenges. Security is paramount but a considerable concern. A 2022 survey conducted by data security company Netwrix found that improving security is a primary cloud adoption goal for 53% of organizations.

IT leaders tasked with the security of their organizations’ operations have a lot to think about. Asking these nine questions can shed some light on the gaps in cloud cybersecurity and how to start filling them.

1. Where is your organization in its cloud migration journey?

Some enterprises are further into their cloud migration journeys than others. For those just starting out, Ryan Orsi, global head of Cloud Foundational Partners for Security at cloud platform AWS, stresses the importance of building a secure foundation. “Please think about a secure foundation as a workstream in your project plans, specifically, a strategy that details the cloud-native or ISV [independent software vendor] tools to be used for security, cloud operations, developer tools, and resilience,” he says.

For companies that are further along in cloud adoption, Orsi sees “conversations quickly steering now to application resilience from the unexpected with a focus on assessing their existing application architecture, identifying any potential single point of failure, application health monitoring and incident management, and recovery plans regularly simulated.”

2. Has your organization included regulatory compliance in its cloud strategy?

Regardless of where an enterprise is in the cloud migration process, regulatory compliance is an important consideration. Cloud migration must comply with privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), according to Rehan Jalil, CEO of cloud security firm Securiti. “Enterprises are concerned with adhering to the latest data protection laws, which underscore the importance of strict security measures to protect personal identifiable data,” he says.

3. Do you have visibility into your organization’s full cloud operations?

Visibility and context are two of the top challenges in cloud cybersecurity, according to Rick McElroy, principal cybersecurity strategist at cloud computing company VMware. “Who is logging in to what and when? Who is uploading private documents to public file shares? How can I follow an identity around a multi-cloud environment to determine if it is doing something malicious? Is this PowerShell script something my system administrators are using or is it part of a ransomware attack?” he asks. “These are all hard questions to answer for teams today.”

Amit Shaked, co-founder and CEO of multi-cloud data security platform Laminar, warns about the increase in unknown or “shadow data.” “Data scientists and developers can now proliferate data in just a few clicks with agile cloud services,” he explains. “As a result, it's become easier than ever before for IT and security teams to lose sight of this data.”

Bringing together teams that have historically worked in siloes can help to increase cloud visibility and teams’ ability act on security needs. “Unified data intelligence and controls address some of the biggest headaches facing today’s cloud security landscape,” Jalil explains. “By bringing together the historically disparate branches of data security, privacy, governance, and compliance, a unified framework ensures that companies can meet their obligations more effectively and efficiently.”

4. Is your cloud transformation outpacing your security strategy?

Cloud migration comes with many exciting prospects, and it can be tempting to chase innovation without considering security. But a successful cloud strategy is underpinned by security. “On top of the secure cloud foundation comes everything else -- processes, applications, and data that drive real business value for organizations,” Daniel Mellen, cloud and infrastructure cybersecurity lead at IT services and consulting company Accenture, tells InformationWeek. “Adopting a secure by design approach to the end-to-end motion of moving to and innovating in cloud is paramount to protecting businesses.”

McElroy reiterates the importance of a security-first approach. “Build in security upfront. Don’t just move insecure systems to another insecure platform. Take the time to build security into the delivery of both the IT assets and the software being deployed,” he says.

5. How can data be manipulated in cloud environments?

The sheer amount of data, much of it sensitive, available in enterprises’ multi-cloud environments is overwhelming. All that data can drive value for companies in new and exciting ways. But do IT leaders know not only where their companies’ data lies but also all the ways in which it is being used?

Mellen recommends IT and cybersecurity leaders consider how data can be manipulated and assembled in cloud environments. “Unknowingly, that data scientist might be collecting confidential and personal data elements on patients or financial clients that never had the intention of being together at the same time,” he notes. “This risk can be averted by spending the time to threat model data flow and data access patterns throughout the data lifecycle in cloud, as well as training users of cloud data on the risks and potential impacts of the data they might be manipulating.”

6. How do you balance on-premises and cloud security?

While cloud security is a top priority for IT and cybersecurity teams, many organizations also have on-premises operations to protect as well. “With data scattered across on-prem and cloud systems and infrastructures, organizations are finding more and more gaps in their privacy and security strategies,” says Jalil.

When asked about cloud and on-premises systems, 95% of respondents in the State of Cloud Data Security Report 2023 from Laminar said they believe cloud environments are different enough to require unique solutions. “On-premises solutions just can’t keep up with multi-cloud architecture’s volume, complexity, and dynamic nature,” says Laminar's Shaked.

While cloud may call for unique solutions, that doesn’t necessarily mean traditional security principles are no longer relevant. There is a common misconception that traditional security principles, such as NIST’s Cybersecurity Framework, cannot be applied to both cloud and on-premises security, according to Orsi. But he contends that using a single security framework can be helpful for internal security teams overseeing multiple environments.

Shaked describes the risks associated with a new attack surface that cannot be ignored in the cloud security realm: the innovation attack surface. “It refers to the unintentional risk that data innovators take when using data to drive digital transformation,” he details. “In contrast to the traditional attack surfaces determined by external forces, the innovation attack surface results from the massive, decentralized risk created by the smartest people in a business and our current multi-cloud world.”

Defining the risks and attack vectors related to cloud strategy has a clear benefit. “Security leaders should also take a risk-based approach to cloud security -- by better understanding the risks, security teams can focus their resources on mitigation,” explains Patrick Carter, practice director of cloud security at managed security services provider Cyderes.

8. Is your team prepared to operationalize the available security tools?

Security solutions have proliferated alongside cloud adoption, but many of those tools need the right people to be used effectively. “One of the security challenges still ongoing is around operationalizing these tools with trained staff and an ability to monitor, triage, and respond to security alerts,” Orsi points out.

Enterprises have two main ways to address this security challenge. First, organizations that are adequately staffed can invest in training and certification to enhance the skills of the people they have onboard, according to Orsi. For those organizations that are short on talent, third-party companies that manage cloud security can be the answer.

9. How much responsibility for cloud security resides with your enterprise and how much with your cloud provider?

Cloud providers are like any other vendor in an enterprise’s ecosystem; they need to be vetted to understand their role in protecting sensitive data. “Enterprises should evaluate cloud providers in the same way as any vendor in the supply chain -- review the provider’s shared services model and ensure it aligns to their support model,” Carter recommends.

Most cloud providers operate with a shared responsibility model. Orsi explains how this model works at AWS: “At AWS, security is a shared responsibility where AWS is responsible for the security ‘of’ the cloud, covering the underlying infrastructure and native services, and customers are responsible for security ‘in’ the cloud, covering any data, applications, or workloads they operate in the cloud.”

Enterprises should also evaluate cloud providers to ensure they are in compliance with data regulations, according to Jalil. He recommends companies look for cloud providers with security capabilities like encryption and masking, granular access controls, and digital sovereignty.

“Two of the best mechanisms to evaluate cloud providers’ security is to one, have explicit documentation outlining the shared responsibility model, tied to specific individuals, and define any handoffs in detail. And two, look at self and independent attestations of security functionality in things like the Cloud Security Alliance STAR registry,” says Mellen.

What to Read Next:

6 Ways Cybersecurity Can Boost Revenue

8 Secrets for Smoother Sailing During a Cloud Migration

Top 5 Cloud Cost Optimization Mistakes

About the Author(s)

Carrie Pallardy

Contributing Reporter

Carrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights