Cloud Security Blog

Reimagine security and privacy in the cloud

Rishi Anand
Consulting Director, PwC Thailand

Everyone from C-suite executives to rank-and-file employees is getting on board, an increasing number of organisations are reaping the benefits of cloud computing. Not to mention that the ongoing COVID-19 pandemic and broader digital transformation initiatives are pushing the speed of adoption even faster.

Some of the benefits of cloud computing are easy scalability and higher flexibility of adding IT computing capacity, reduced cost on capital expenditure on IT and easy mobility and accessibility to computing capacity.

Even with rapid adoption, we still see concerns within multiple organisations on data security as organisations have less visibility on cloud and related responsibilities specifically when it comes to data.

The data security concern comes from issues related to data integrity, confidentiality, availability, and privacy.

We have also noticed that many organisations have concerns about data localisation and connected compliance requirements that come from certain privacy regulations. In addition, core security issues like misconfiguration, unauthorised access, insecure interfaces and insider threats are causing angst amongst early cloud adopters. 

All the above concerns are valid and can result in security breaches that may either be caused by cyber criminals or even by someone within your organisations with malicious intent or inadvertently. Any data breaches now are strictly monitored by regulatory requirements   

Now, thanks to the ability to embed security directly into the cloud, the technology's biggest roadblock has been turned into a business enabler. In short, a delivery model with organically integrated security provides organisations with a competitive advantage.

Taking responsibility for your organisation and Cloud Service Provider (CSP), based on different cloud deployment models, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), is vital to understanding who owns the risk. As many organisations are using multiple CSPs, additional governance and controls are required on top of normal security controls existing within on-premises environments.

Overall, basic principles remain the same – how to identify risk and protect your infrastructure, services and businesses from a security threat, detect a security threat at the right time, and if something untoward does happen, how to respond and recover from it?

Some of the steps to be taken are to have a risk assessment performed by third party, taking data protection measures whether data is at rest or motion like data loss prevention ion, encryption, anonymisation, have clearly defined access control, robust incident response mechanism and overall monitoring and governance to cover requirement concern on operational, technology, financial and regulatory risk.

Having said that, businesses should consider having security and privacy management on clouds that follow the standard cloud steps or frameworks and covering every aspect is key to ensuring organisations not only have security by design but also adhere to regulatory requirements. This will, in turn, help in fulfilling requirements of data privacy and providing visibility, resiliency and business benefits to organisations.

Also to highlight PwC’s Cloud control’s study, four critical steps company should take to minimise cloud risk including:

1. Incorporate cloud governance into your overall risk governance programme: With the cloud having become an essential component of business operations, it’s imperative to fold cloud governance into overall organisational risk governance. Only then can the enterprise bring its full resources to bear on securing its cloud-hosted data and applications from unauthorised access.
   

2. Plan for the worst: Being prepared for worst-case scenarios can enable an organisation to respond quickly to threats and minimise damage to the business and the bottom line. With hackers using increasingly sophisticated techniques to conduct and hide their nefarious activities, risk managers need to let their imaginations go wild and even a bit dark. “Expect the unexpected” is a great rule of thumb, and can help organisations to minimise their losses in the event of a cloud breach.
   

3. Know the impacts: A breach on the scale that the cloud affords can make for juicy news and sensational headlines, but oftentimes the impacts are minimal. So what if encrypted information was stolen, if it can’t be viewed? Knowing the real-life effects of a security incident can help your organisation avoid the damage that bad news reports can wreak on your reputation and revenues.
   

4. Focus on risks, not threats: The company’s second line defence should be able to provide independent oversight to aid in identification, mitigation, escalation and remediation of risks where appropriate.

\\Ends\\