Why your enterprise cloud transformation strategy may be stuck, and what to do about it
On-premises-only work environments are so yesterday — rigid and boxed-in, limiting in scale and scope. Business happens largely in the cloud, a world that’s amorphous, shifting and accessible anytime and from anywhere.
Freed from the old constraints, cloud-based enterprises can enjoy more flexibility, scalability and productivity than ever — at less cost. So why isn’t everyone already there?
Just 17 percent of business and tech/security executives see their organizations benefiting from cloud adoption, according to PwC’s 2021 Global Digital Trust Insights survey.
They’re the fortunate ones. A quarter told us they’re using the cloud but haven’t yet benefited, and 29 percent are just starting to move functions and operations to cloud environments. Another 29 percent haven’t even begun the process.
We see it all the time: Clients convinced of the cloud’s potential but overwhelmed by the complexities of properly securing it. Instead of moving forward with their cloud programs, they get stuck in a quagmire of questions and concerns.
The good news is that a well-thought-out, step-by-step approach to security can jump-start your stalled migration and/or modernization. It can even hasten the move so you finish faster than originally planned.
What are the challenges to cloud adoption? Here are the questions we hear most often, along with security solutions to help restart your cloud engine and put you in the fast lane.
1. What is the number-one reason why cloud transformations stall? Lack of governance.
2. What’s key to getting privacy right on the cloud? Understand what’s required throughout your enterprise.
3. Who’s responsible for securing what? The provider and you, but you’ll have to be clear on areas of responsibility and control.
4. Who’s got a stake in accelerating and securing our cloud migration/modernization? The entire C-suite — not just the CISO and the CIO.
5. How do talent issues affect you beyond the risk implications? Not being able to make the most of all the features and benefits of the cloud.
Lack of governance.
Nearly half (48%) of organizations have a multi-cloud strategy. On average, organizations use three different cloud service providers (CSP), and 28 percent are using four or more. While using more than one cloud service provider may be necessary and even beneficial, doing so can make security seem more challenging.
Cohesive governance is key: Each CSP may have different security abilities and requirements. And frequent releases of new features and updates means that, like the clouds in the sky, your enterprise cloud environment is continually changing.
Solution: Bring together all your enterprise security controls so you can secure them from one location, and with as much automation as possible. Here are steps:
Understand what’s required throughout your enterprise.
Seventy-five percent of organizations find it more complex to manage privacy and data protection regulations in the cloud. Previously, organizations stored and maintained information in local data centers, and so only needed to concern themselves with local requirements. The cloud allows authorized users to access your enterprise information anytime and from anywhere — a more efficient way of working.
The caveat: You must correctly configure your global security restrictions on data accessibility and storage. Without thoughtful security configuration, the cloud has no borders, and that could put your enterprise at risk of violating privacy laws in other countries.
Solution: Your chief privacy officer as well as privacy officers in all your locations should make sure that their geographical requirements are included in your overarching cloud-platform-agnostic framework. You also must make sure that your architecture includes identity and access management considerations. Some regulatory requirements may restrict who can access your organizational data.
Being familiar with privacy requirements at the county, state and national levels can help your enterprise to reduce risk and design transparent solutions that people can trust.
The provider and you, but you’ll have to be clear on areas of responsibility and control.
Of more than 3,000 IT and IT security practitioners surveyed in 2019, only one in three respondents said protecting data in the cloud is their responsibility. CSPs bear the most responsibility for sensitive data in the cloud, 35 percent said, and 33 percent said the responsibility is shared.
Solution: Responsibility for cloud security is almost always shared. CSPs are responsible for securing the platform itself — but the task of keeping your organization’s data and intellectual property safe is up to you. Get familiar with each set of requirements and make sure your security teams and CIO are up to speed as well.
The entire C-suite — not just the CISO and the CIO.
A lack of buy-in from C-suite executives is one of the most common reasons why cloud adoptions slow down or stall. You’ve probably approached your CISO, but what about the CFO, COO, chief risk officer, and chief legal officer? Cloud solutions exist for each of these roles and their organizations. Seeing cloud migration as only a security or IT problem misses the opportunity to engage key portions of the enterprise.
Solution: For each element in your cloud-agnostic security framework, define who’s responsible and accountable and who’s to be consulted and informed. Use a single framework and regularly report back to these individuals on your progress. Doing so can help you avoid duplicating tasks and help your cloud migration proceed smoothly and on schedule.
Not being able to make the most of all the features and benefits of the cloud.
The cyber skills shortage is real, and it’s expected to worsen — especially for cloud engineers. These professionals need the “full stack” of skills and knowledge. They need to know how all the technology components work and how they interact: databases, applications, operating systems, networks.
But people with this level of expertise are in short supply. Without cloud engineers on staff, businesses may take a lift-and-shift or rehosting approach to cloud adoption — simply moving applications to the cloud without redesigning them.
For example, they may use “compute services” to spin up virtual machines in which to place their code — just as they did when everything was in the data center. A lift-and-shift approach not only misses the point of cloud migration, it robs you of the opportunity to use all of the features and enjoy all of the benefits your CSP can provide.
Solution: Absent full-stack cloud engineers on staff, consider training one or more of your existing engineers in cloud technologies — but don’t do this yourself. Elegant technologies such as the cloud almost always seem simpler than they are. Trial and error can be an expensive way to learn, and will take much more time than working with someone who already knows the ins and outs of the cloud.
Partnering with an organization or individual with cloud migration/modernization and management experience is the best and most efficient way to move your project forward. A CISO-led strategic partnership could benefit other members of the C-suite, too. For instance, your CTO might save money on personnel if you can upskill the engineers you already have on staff and automate infrastructure and application changes to the cloud environments you use — a win-win.
Also, make sure you know what your CSP offers. Take advantage of every possible resource, such as platform as a service (PaaS), which allows you to scale up or down as needed.
The cloud is always on and always changing — so your cloud security program must be as well. Automation is key. Here are steps to take for powerful and effective automated cloud security.
Cloud security can seem overwhelming — but it is manageable. With the recommendations outlined here, you’ll be well positioned to reap the rewards that motivated your migration to the cloud in the first place. You’ll also position your organization for the coming evolution of cloud security, one that’s poised to include prevalent machine learning, cloud security posture management and confidential computing — topics we shall turn to in future thought leadership.