Why CISOs Need a New Approach to Cloud Security
While the last decade has seen a number of enterprises experimenting with cloud, the pandemic has accelerated cloud adoption significantly, in part due to the surge of remote work. Today cloud represents a new way of doing business, alongside new rules around ownership and responsibility, and new cybersecurity considerations to take into account. In fact, one of the key challenges that often remains unaddressed is the phenomenal rise of cyber security incidents, including data theft, cryptomining, and ransomware, among others. The need of the hour is to protect organizations from cyber attacks, whether they are in the initial stages of cloud adoption or in a mature and steady environment. In a recent interaction with CXOToday, Kapil Makhija, Head-Technology Cloud Business, Oracle India, explains how CISOs should learn to defend against cyber-attacks and gear up for a cloud-first world.
- What are the key security challenges CIOs/CISOs are facing with rapid cloud adoption?
The pandemic has accelerated cloud adoption significantly. According to findings of the Oracle KPMG Cloud Threat Report, almost 90 percent of organizations said they use SaaS and 76 percent said they use IaaS. Further, 50 percent said they expect to move all their data to the cloud in the next couple of years. According to Omdia, nearly one-third of organizations cite the adoption of cloud services as “significantly more important” than prior to the pandemic.
At the same time, organizations are facing unprecedented challenges in how to modernize their key infrastructure while continuing to keep costs in check, along with strengthening their security posture. With more people continuing to work from home, the world has witnessed a sharp rise in the number as well as complexity of cyber-attacks and all this, amidst the growing paucity of skilled cybersecurity professionals globally, which is projected to reach 1.8 million by 2022.
- What according to you are the driving factors around the sharp rise in cyber-attacks?
Various studies have estimated that on average, every 11 seconds, an organization suffers a cybersecurity attack. This is expected to get even worse. But, what’s alarming is that, according to a Verizon study, 85 percent of successful breaches were from vulnerabilities where patches were available up to a year before the attack occurred, but weren’t updated. This shows that while the cyber threat landscape is expanding in both size/scale and complexity, organizations are realizing the need to modernize and update their risk management practices. Further, there are a few key ‘must-do’ actions that companies should take to help protect themselves.
- How can organizations better support their workforce in being able to defend against cyber-attacks and gear up for a cloud-first world?
Increased awareness is the key. The need for multi-factor authentication, access control protocols and more such preemptive measures needs to be religiously followed. Ultimately, a security-first culture is essential, where every employee is fully aware of their individual and collective responsibilities in protecting their organization’s data. Constant communication and top-down commitment to ‘walk the talk’ when it comes to developing and implementing cyber-security initiatives is important.
In addition to frequent, practical cyber-security training and skill upgradation for employees, another important factor organizations must focus on is to encourage employees to become ‘cloud-smart’ by helping them develop a ‘cloud-first’ mindset. Oracle is committed to help our customers and the IT ecosystem at large be better prepared for a cloud-first world. Because we realize that thousands of companies and millions of users count on Oracle Cloud Infrastructure (OCI) to run their entire application portfolio and mission critical workloads. Also, OCI is one of the fastest growing cloud platforms, and we are seeing an increased demand for OCI expertise across the globe. Therefore, we are offering free OCI training, plus free certification, via Oracle University until end of the year. We encourage more and more technology professionals to advance and future-proof their career by learning OCI for free with our expert-created training and globally recognized certification program.
- What new technological solutions are emerging to protect organizations from cyber-attacks?
There are a number of new tools that help integrate security across disparate cloud and on-premises environments. Tools which can enable complete visibility across all applications and infrastructure are essential to help identify and avoid misconfigurations, software vulnerabilities, manual errors, and process redundancies. In addition, what’s important is a holistic, integrated approach to cyber-security. Such an approach can help eliminate complexity and drive a more cohesive process to roll out a robust cyber-security program.
- How can organizations work towards cyber resilience?
Weaving in an intelligent security framework into an organization’s overall cyber-defense strategy is vital. Such an intelligent security approach uses cloud services and new advancements in AI/ML, and can go well beyond just malware protection. Take security automation for instance; offered as a built-in capability, and an always-on feature in Oracle’s next-generation cloud infrastructure (OCI), security automation can help reduce the time and resources needed to manage user access, and decrease human errors at the same time. Also, in a cloud-first world, there is a greater need for CISOs to develop deeper, cloud-centric expertise. This will be the key as CISOs become even more engaged with various digital transformation and business initiatives, so that they can ensure cybersecurity is effectively and properly integrated into evolving business models, covering all aspects of IT.
- In a multi-cloud era who takes ownership in the case of security breach?
As per the findings of the Oracle and KPMG Cloud Threat Report that I mentioned earlier, 96 percent of IT professionals are aware of the cloud security shared responsibility model. However, what’s surprising is that only 8 percent fully understand the shared responsibility model for all types of cloud services. In a multi-cloud era, where most organizations work with multiple infrastructure and software cloud providers, each of these providers come with their own version of what the shared responsibility model is. This lack of clarity – regarding whose responsibility is what -is bringing with it a risk of misconfigurations, software vulnerabilities, human errors, and process redundancy. At Oracle, we have a fundamentally different approach to security. We believe that (a) security should not be a choice, and must be always on; (b) it shouldn’t be too expensive, and (c) security shouldn’t be too complex to implement and must be an intrinsic part of every tech provider’s software and hardware by default. We believe this approach will raise the bar for tech providers to build security into the DNA of their offerings and not add it as an afterthought.
- How is Oracle helping organizations strengthen cyber resilience? What is the road ahead?
Like I mentioned earlier, we believe security should be foundational and built in. Because customers shouldn’t be forced into a situation where they have to make trade-offs between security and cost. We have a multi-layered approach to security, and believe security should be easier to understand and implement for all employees, not just experts. We are introducing product innovations and approaches that make security tools much easier to adopt – for example, by being always on, automated, and those that leverage AI and ML capabilities. It’s important to realize that security must be data centric.
All Oracle Cloud Regions globally provide secure, high performance environments to help customers move, build, and run their enterprise workloads. Also, OCI adheres to security-first design principles that focus on providing built-in security controls that include isolated network virtualization as well as strict separation of duties.
Our flagship innovation, the Oracle Autonomous Database, automatically performs regular updates to patch and respond to zero-day vulnerabilities fast. Oracle Autonomous Database can update itself without shutting down – this is a unique capability compared to other databases that require downtime for updates. This is further complemented by services delivering always-on encryption and continuous monitoring of user behavior, with Oracle CloudGuard and Oracle Identity Cloud Service further helping mitigate the risks. Our customers get to also leverage automated patching as well as threat mitigation to help reduce complexity, prevent manual errors, and reduce costs.
Also, a ‘one size fits all’ approach to security will not work. Some organizations might still prefer to retain full custody of their cloud environment, be it for regulatory or any other reasons. So choice of cloud deployment models is also important. Using Oracle Dedicated Region Cloud@Customer, large enterprises can build Oracle’s public cloud regions within their own data centers, so they have full physical control of the infrastructure and helping them adhere to the strictest of regulatory and data sovereignty requirements.