Jakub Jirsák - stock.adobe.com
Finding security in the cloud
When choosing a cloud security provider, enterprises will need to consider the level of data privacy and data security risk involved
Cloud computing services, where software and services are delivered over the internet instead of locally installed servers, are rapidly going mainstream.
Businesses are increasing their software-as-a-service subscriptions, while the Singapore government plans to migrate most of its IT systems to commercial cloud services within five years from 2018.
The future operating environment could well be cloud-first. Yet, the large volumes of data concentrated in cloud servers will be highly attractive to cyber criminals. While security is a top concern among cloud users, many are also turning to the cloud to address their security challenges.
Worldwide spending on cloud security solutions is growing rather than shrinking, where the total spend for 2019 is forecasted to reach $459bn, more than double of what was spent in 2017, according to a report by Gartner.
Bringing security to the masses
The rise in cloud security adoption has much to do with the growth in the maturity of cloud computing. With greater economies of scale and technological advancements in cloud services, providers are able to deliver significant cost savings, seamless and quick deployment, committed availability as well as on-demand scalability.
By comparison, on-premise solutions can often be resource-intensive, slow and outdated in their cyber security efforts, and highly inflexible due to the fixed infrastructure.
In today’s operating environment, organisations have to be prepared to simultaneously defend against multi-pronged and multi-party cyber attacks, which are evolving in sophistication, speed and accuracy. Looking back at the scale and frequency of cyber security breaches over the past two years, it is clearly increasingly unviable for a single organisation to defend against all potential threats.
Cloud security providers have the potential to help address the critical gaps in cyber security. Closing the intelligence gap between cyber criminals and enterprises is a continual and costly endeavour, which is best rationalised through economies of scale. There is already a skills gap in cyber security in the labour market, and concentrating limited cyber security talent in cloud security providers could help to drive the economies of scale that enterprises can then tap on.
In view of these advantages, enterprises should consider cloud solutions alongside an on-premise option to meet their cyber security needs. Particularly for small and medium enterprises with limited budgets and technological capabilities, subscribing to a cloud security solution may be the quickest and most cost-effective option.
Even as cloud technology is helping to realise cyber security inclusion, where all organisations will be able to afford and access cyber security services, the breadth and game-changing nature of cloud migration is also introducing new risks.
For users to trust that their data is secure, organisations should shift their risk management approach to build in digital trust by design. Rather than react to risks, companies need to predict and address potential concerns about emerging risks. This starts with an understanding that there is no one-size-fits-all technological solution.
Getting the right fit
When choosing a cloud security provider, enterprises will need to consider the level of data privacy and data security risk involved, given that the provider will have access to data in the organisation.
Not having a clear understanding of the service providers’ identity and access management policies could impede an enterprise in making an accurate assessment. Furthermore, organisations that deal with highly confidential data or operate in countries with stringent data privacy laws could face regulatory compliance risks.
Another challenge is the potential rigidity of cloud service providers’ service level agreements (SLAs). The standard one-size-fits-all cloud security solution may not suit an organisation’s unique needs or it may be misaligned with long-term business objectives. A poor fit could result in significant cost increases or integration roadblocks.
The technical complexities of an SLA also make it difficult for a business to understand, and even harder to assess and negotiate. Organisations need transparency and visibility of how services are delivered from and by the cloud-based security providers.
Read more about cyber security in APAC
- Amid growing cyber threats, the Asia-Pacific cyber security landscape will not get any rosier in 2019 unless organisations start shoring up their cyber hygiene.
- The cyber security consulting arm of Australian telco Optus is acquiring Hivint for A$23.3m in a bid to bolster its security pedigree.
- The Digital Transformation Agency has become the first government agency in Australia to test the use of Microsoft Office 365 in a secure cloud.
- Australia’s privacy watchdog has recorded over 800 cases of data breaches, nearly one year into the country’s mandatory data breach notification regime.
They must be prepared to do due diligence and ask key questions such as: “What is the cloud service provider ready to commit to in terms of service delivery, security and uptime? In the event that an SLA is breached, what are the penalties and compensation?”
Failure to accurately assess and strengthen the SLA could expose the enterprise to a large amount of risk that should have been shifted to the service provider.
In view of these risks and complexities, the suitability of the service provider is key to optimising returns from utilising a cloud security solution. While it may be tempting to award the contract to the lowest-cost provider, enterprises should consider using evaluation criteria that is appropriately weighted towards their strategy and goals.
Meanwhile, service providers like EY’s cyber-as-a-service team are adapting their cloud-based security service offerings in response to the diversity of business and industry needs as well as specific enterprise requirements, providing transparency, visibility and flexibility to organisations.
Krishna Balakrishnan is EY Asia-Pacific’s cyber security-as-a-service leader. The views reflected in this article do not necessarily reflect the views of the global EY organisation or its member firms.