Advice from a CISO: It’s time to stop fearing cloud security
Blog: Capgemini CTO Blog
CISOs are the business leaders everyone is talking about. But what do they have to say? Mike Turner is Chief Information Security Officer at Capgemini and shares his views.
Businesses are reveling in the benefits of the cloud. Mobile services have enabled greater responsiveness to customer need. DevOps is enabling agility, giving developers’ sharper tools and IT operations the means to deploy them quickly. But for every application, there must be a security solution to match and many IT departments are struggling to keep up.
The challenge with cloud security is that most cloud set-ups operate under “shared responsibility”, where the provider is responsible for the security of its cloud, while companies are responsible for defining controls in it, from encrypting databases and setting up firewalls to patching operating systems. But as the need for faster deployment grows, this arrangement can seem like a burden.
The first concern CISOs have is that the task of securing and encrypting data will grow increasingly complex. The second concern is that security tools will constrain the business, an undesirable outcome for cloud native businesses that need to move quickly. However this second concern need not become a reality. It’s entirely possible for organizations to deploy integrated security solutions that satisfy regulators without constraining the business. In fact, with the right automation tools, businesses can not only develop applications quickly and securely, they can also differentiate the business.
Automating cloud security is highly desirable. Deploying automated security blueprints from the outset ensures security processes are built in to the DevOps process. This frees up developers to worry about application usability, which enhances employee and customer experience. Quality of development can be impacted more directly, too. Refining identity access management processes for example, removes frustration for both customers and employees, building trust.
Using automated blueprints means by definition that the security implications must be considered before the service is deployed. This not only means avoiding the technical complexity of retrospectively architected solutions, it also means better security, built from the ground up: security by design. Automation blueprints are therefore a forcing function, balancing an organization’s security requirements against the cultural challenge of integrating security into day to day deployment. Ultimately, compliance improves, because the requirement to make decisions about how to secure an application is removed.
I’ve debunked five common myths around cloud security, to show how your business can take advance of the opportunities, and not be held back by fear and uncertainty:
Myth 1: Security imposes constraints and slows down application development.
Reality: When you embed cloud security into the design of an application, it is a powerful differentiator for the business, enhancing app usability and building user trust. Using blueprints to automate security controls enables speed and accuracy, ensuring security matches business agility.
Myth 2: Security is an add-on.
Reality: Security is fundamental. Organizations shouldn’t build anything without first considering the security implications of doing so. Developers must balance new applications in the transformation to public cloud with security processes that match those changes, built from the ground up.
Myth 3: The cloud provider is responsible for security breaches
Reality: The public cloud provider is responsible for the security of the cloud. The cloud user is responsible for the security of their data defining controls in the cloud. This includes encryption, network security and identity access management.
Myth 4: Public cloud introduces greater risk.
Reality: Public cloud is an opportunity to strengthen your security, due to the many crowdsourced solutions developed for other customers, and the efficiency of security blueprints, which balance an organization’s security requirements against the cultural challenge of integrating security into day to day deployment.
Myth 5: In the age of DevOps the burden of security is shared between developers and IT admin
Reality: This is only partly true. The developer’s job is to develop. That doesn’t mean they can forget about security. In fact developers must work hand in hand with operations to understand how to integrate security into app design. But automation means developers can more easily focus on usability of the service, enhancing customer and employee experience.
First published in IDGConnect