Virtualization Technology News and Information
Cloud Migrations Accelerates as Permanent WFH Begins, Opening Organizations Up to Cyber Risk and Demanding Robust Cloud Risk and Compliance

By Padraic O'Reilly

Enterprises are migrating their workloads to the cloud at rapid rates, especially once the COVID-19 pandemic hit. According to Gartner, by 2023, 40% of all enterprise workloads will be deployed in cloud infrastructure and platform services. This is up from 20% in 2020 for public cloud or otherwise. Once remote work fully hit, organizations realized that a solely IT-centric driver to cloud migration wasn't the case anymore. The drivers moved beyond information technology and crossed into business enablement and, to some, survival. Business leaders realized the value of moving to the cloud - to increase market share, deliver digital products with speed, improve service quality and velocity, and to lower the total cost of ownership (TCO) across assets, especially in forward-looking industries. Facebook, Microsoft, and Salesforce are just a few technology companies that announced more permanent work-from-home policies.

As this wave of work-from-home becomes business-as-usual and organizations begin to settle into their ‘new normal,' the operational and logistical challenges of cloud migration are being handled more efficiently. Still, new challenges may arise that will bring more risk to these organizations, imperiling the value of cloud migration if ignored. A very big risk is cybersecurity. Meeting regulatory compliance and managing cyber risk is one of the top challenges facing those who are migrating their workloads to the cloud.

Why is Meeting Cloud Risk and Compliance So Difficult?

Although many cloud providers and consulting organizations have a global network of compliance teams that provide services and implement shared responsibility models, monitoring and meeting security and compliance controls that span people, processes, and technology within cloud environments is a complex project. Cloud strategies must also manage potential risks in the context of the enterprise cybersecurity program as a whole. This is a challenge mainly due to visibility and accuracy. The point solutions that currently support most cloud instances don't elevate the posture of cloud environments to that of the enterprise risk posture. Merics are fractured and far from holistic, and very few, if any, solutions can provide insight into risk management.

Security implications are amplified in the cloud, as are compliance and regulatory requirements. As the speed and number of cloud migrations increase, there are some innovations that address risk management and compliance in the cloud, but not many. Cloud providers will continue to mature and bring new innovations to their services, but to date there hasn't been a lot of anticipatory work done in this area. The focus has largely been on creating solutions in response. In addition, many distributed organizations opt to have multiple cloud providers in place, requiring a multi-cloud approach to compliance requirements and risk assessment. In highly regulated countries, the challenges only become greater. Measuring, managing, and reporting on compliance frameworks, making the shared responsibility model actionable, and getting a view into risk are all serious challenges.

IT and security regulations and standards are filled with requirements that were created before the cloud became a commodity. In the energy sector, for example, cloud security isn't taken into account because regulators and industry leaders couldn't fathom cloud platforms being as pervasive as they have become because on-premise was standard to the industry. On-premise installations are still a mainstay in energy, power, and utilities, and for those who have become more comfortable recently with cloud migration, there is a clear and pressing need to leverage their human capital, processes, and technologies to implement robust risk management practices.

AI Automation Resulting in Data Accuracy and Visibility is the Path to Risk and Compliance Success in the Cloud

There is a shift occurring in cyber and IT risk management. For years, data has been aggregated manually and analyses performed on out-of-date information. The first three functions of the NIST Cybersecurity Framework - Identify, Protect, and Detect - have lagged behind the last two functions, Respond and Recover. With the increasing availability of automation, these functions are becoming more continuous in nature and shifting into a real-time approach to risk management. Doing this work in the cloud is no exception, but it must go beyond the capabilities of cloud security posture management solutions and similar markets.

There are two major benefits to organizations when they bolster their risk management strategy for the cloud: accuracy and timeliness of data, and visibility into enterprise security posture. Data accuracy is achieved through ingesting the data live via integrations, whether it be configuration management, vulnerability management, IAM, asset discovery, and inventory, all while operationalizing the shared responsibility model. Companies can choose to pull data in at a cadence on a per asset basis. There are companies that automate telemetry and visualize compliance or map to standards whether privacy or regulatory such as the General Data Protection Regulation (GDPR), the NIST CSF, and others. There is significant value in scoring controls and measuring enterprise risk with models that are driven by the organization implementing this solution because each organization is unique. Flexibility and configuration are a must to support legacy practices and complex use cases. Business rules and tuning help to refine cascading dependencies. Achieving all of this requires advanced AI, and in CyberSaint's case, Natural Language Processing trained on vulnerability and control language.

Ultimately, the true test of this next-generation approach comes when organizations are able to roll all of this data up to risk. With risk metrics that are supported by drill-downs, trend reports, and risk profiles, executives can get the visibility they need into their posture with the most up-to-date data, informing their key business decisions. Using this next-generation approach to risk will inform global expansion, allow executives to evaluate risk across Lines of Business, and increase resilience in a cloud-based organization.



Padraic O'Reilly 

Padraic O'Reilly is Chief Product Officer and Co-Founder at CyberSaint, where he leads product innovation and development. His experience as a Harvard-trained economist, IT risk and compliance consultant, and his rapid exposure to Cybersecurity led him to seek out CISOs, CIOs, and Boards of Directors at global organizations to pursue the answer to the question - how can cyber be managed, measured, and understood like any other business function? Padraic's current activity spans working directly with organizations from public agencies to private companies across the globe to understand how to measure cyber risk, especially amidst the global pandemic which is fueling massive digital transformation projects around the world. Padraic was a key member of the group providing feedback on the NIST Cybersecurity Framework during its development, and is an expert in regulatory standards both in security and privacy, including the NIST Risk Management and NIST Privacy Frameworks. An expert in Artificial Intelligence (AI) and economic modeling, Padraic works with members of the Global 500 to research and deploy risk quantification, risk intelligence gathering, and risk reporting and communication strategies. Padraic also holds a patent entitled, "System And Method for Monitoring And Grading A Cybersecurity Framework" which has inspired much of his work on cohesive IT and cyber risk management approaches. 

Published Friday, February 19, 2021 7:55 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2021>