3 Critical Steps for Reducing Cloud Risk

Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

4 Min Read
Coud computing
Source: Skorzewiak via Alamy Stock Photo

Enterprises are investing in multiple cloud solutions to fuel growth and transform legacy applications into something more universally usable. However, the path to success can be fraught with missteps and unknowns that can create excessive risk. Cloud environments are often stitched together using APIs, custom coding, and other methods that add complexity.

That growing complexity has the potential to substantially increase risk and open organizations up to cyberattacks, and complexity further increases as more services and capabilities are added, compounding risk. Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

Establish Situational Awareness

Business management expert Peter Drucker famously wrote, "You can't manage what you don't measure," and measurement is one of the most important tools for successfully managing a complex cloud environment. Organizations must take the critical step of measuring their infrastructure by establishing an inventory of systems, applications, and users.

There are numerous ways to measure, ranging from manually performing inventory to using automated tools to help with the process. Most firms settle on a mix of both. Selecting the appropriate management and monitoring tools is challenging, especially in hybrid and multi-cloud environments. Those environments use APIs to integrate dissimilar technologies and usually have their own monitoring and management tools and multiple tools can obscure situational awareness, which creates additional risk.

Properly remediating risk requires creating a single source of truth, which means that new management and monitoring tools must be deployed. Those tools should provide a unified and centralized view of the organization’s infrastructure, while also tearing down the silos created by dissimilar tools. However, people often create a false equivalency between multiple-cloud deployments and managing multiple datacenters, which can lead to selecting the wrong tools. The tools and skillsets differ between cloud and datacenter management, which can lead to missteps that will derail implementation. Organizations may have to purchase new tools or turn to experts to integrate the tools.

Minimizing Mistakes

In the rush to deploy cloud solutions, many may overlook what may be obvious to seasoned professionals. Reducing errors means defining objectives and building plans. Those deploying to the cloud must have a clear understanding of the business case, who the stakeholders are, and the desired results.

The flexibility and speed of the cloud make it easy to overlook security leading practices. Establishing those practices requires plans that incorporate cybersecurity at the earliest possible moment. Without proper cybersecurity controls, actions such as establishing a new feature or granting access will increase the attack surfaces and the associated risk.

Simply adding external users can lead to unexpected cybersecurity issues and can expand potential attack surfaces. Case in point is when an organization grants external access to a vendor or partner. Organizations must carefully consider the overall impact of granting that access and if that third party can make unauthorized changes, or access proprietary information, as well as how those user credentials are being secured.

Leading practices include defining security policies, deploying multifactor authentication, auditing access and being aware of threat environments. Some organizations will need to train in-house staff or turn to external experts to ensure that cyber issues are addressed and resolved before they have an impact.

Building a Continuous Process

Clouds are very fluid and allow changes to be accomplished quickly. New services can often be enabled with a simple command or click of the mouse. However, that fluidity can create unexpected complexity. What's more, change can have a cascading impact that brings additional risk and complexity to cloud management.

Mitigating risk using a set-and-forget approach is no longer appropriate for securing the cloud; organizations must make risk mitigation as fluid as the cloud. What's more, developers today have the power to constantly change, update, and expand the cloud environment. Accelerated change means that organizations need to be proactive and establish controls and policies to reduce risk.

By adopting continuous processes that insert controls into the development and deployment process, organizations can inject security into the development process. However, keeping security controls up to date can be an onerous task, which ultimately reduces the velocity of enabling change. Here, automation reduces the burden associated with cybersecurity in the cloud.

There are numerous tools that automatically validate code, perform testing of new code, and identify potential problems in real-time. Those tools leverage automation so that interference with the creative process is kept to a minimum. This type of automation does not simply enhance the security of the cloud environment, it will also enhance its resiliency and uptime.

Embracing multicloud, hybrid, or public cloud solutions does not have to be a step into the unknown. Enterprises can ease the transition to the cloud and avoid unnecessary risk by implementing policies, controls, and leveraging automation at the outset of cloud adoption. Having a proper handle on managing the cloud helps when further mitigating risk. What’s more, with the proper tools in place, enterprises may be able to expose additional opportunities, which in turn can help to grow the business.

About the Authors

Randy Armknecht

Managing Director, Protiviti

Randy Armknecht is a managing director at global consulting firm Protiviti where he leads the global cloud advisory practice, which provides innovative services that enable clients to operate with confidence in their cloud environments. He has 20 years of experience in a variety of roles from developer to global architect. Armknecht is a frequent speaker on the topic of cybersecurity and cloud computing at industry events, including conferences, executive sessions and as a guest lecturer at multiple universities. He is a board member for the Arditti Center for Risk Management at DePaul University and holds an M.S. degree in computer security from the university.

John Stevenson

Managing Director, Cloud Security Lead, Protiviti

John Stevenson is managing director and cloud security lead at global consulting firm Protiviti. With over 20 years of experience, Stevenson is a seasoned and results-oriented technology executive with a distinguished career focused on developing information security and information technology programs for top global companies and government entities. Prior to joining Protiviti, he held senior leadership roles at a Big Four firm, Accenture and First American Payment Systems. Stevenson earned an executive MBA from Texas Christian University - M.J. Neeley School of Business.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights