Why security must be shifted left in a cloud-first strategy

February 24, 2021

Companies with cloud-first strategies are growing in number as the benefits of cloud have become more apparent and appetizing in the fallout of the COVID-19 pandemic. However, simply having a cloud-first strategy doesn’t guarantee success in the cloud, cost savings and increased agility. Similarly, security remains a pervasive threat if a process for mitigation is not built into the very foundation of your cloud strategy.

There’s a misnomer in understanding what security should look like, especially when in the cloud, depending on what is being secured. Typically, organizations’ cybersecurity focus tends to fall into two categories:

IT workloads – technology that you have regardless of the industry you are in (email, CRM, ERP, etc.)
Engineering – the differentiated technology and intellectual property (IP) that you develop to enable you to excel in the market (which you want to keep safest from exposure)

The key is to move beyond securing IT workloads to the security of engineering, which is focused more on growth and innovation. As your business executes its cloud-first strategy, it’s important to recognize that cloud isn’t a destination; it’s a journey. And like any journey, you prepare ahead of time, map your route, and plan for agility.

The two things that businesses care most about protecting are IP and client data. Simply introducing traditional security measures such as Firewalls, Identity and Access Management, Multi-Factor Authentication are no longer sufficient measures in an engineering world where everything-is-code. To fully protect your platform and customer data when agility and speed-to-market are tables takes, security must be shifted as far left as possible, and integrated into the behaviors and culture of how organizations architect, develop and deliver products and services.

Regulations like GDPR have embraced this far left (or “security by design”) approach to cybersecurity. The US Cyberspace Solarium Commission is advocating for the addition of cybersecurity reporting requirements in the Sarbanes Oxley Act (solarium.gov, March 2020, Report, Section 4.4.4). Shifting left is a technical and behavioral norm, not an option.

The cloud consumption model has not only changed platform architecture, it has also changed the behaviors of platform contributors, which has given rise to new methodologies for security, such as Zero Trust and Secure Access Service Edge (SASE), which are components of security by design and how an organization builds the right model for their business that emphasizes the best stance for security. It’s about choosing the right infrastructure balanced with the right location (on-premises, colocation or cloud) to meet the quality, scalability and security demands.

Zero-trust security institutes an approach where all users and technology are denied access to all systems, resources, and datasets and must be explicitly granted the lowest level of access required and continually authenticated and re-validated to maintain permission. This approach better assures platform security prior to users or resources being provided access. While more secure, zero-trust requires organizations to design security as part of the platform code to each entity accessing it, which is time consuming and resource intensive.

Many organizations are turning to Secure Access Service Edge (SASE) to address zero-trust for remote access to simplify the approach. Half network and half security, the SASE framework is designed to allow enterprise security professionals to apply identity and context to specify the level of performance, reliability, security, and cost desired for every network session. SASE, in simplistic terms, can be a methodology to accomplish zero-trust policies for remote access in a cloud-native architecture.

As you build and execute according to your cloud-first strategy, cybersecurity must built into the very foundation of that plan. The cloud is not a place where workloads are hosted, rather a strategic approach to consume and deliver resources. Security cannot be an afterthought – it must be embedded into the way organizations behave, and part of the cultural of accountability. Embracing a security-minded culture means changing behaviors that model the culture you want to emerge. Organizations who have demonstrated a culture of security accountability and instituted supporting technical best practices have lower risk, improved customer satisfaction, and outpace the competition. The best practice is to strategically integrate security into the definition-of-done and insist that everyone is accountable for an organizations security posture and it is measurable in the people, process, and technology.

Dustin Milberg is a seasoned enterprise technology executive and current Field CTO Cloud Services at InterVision, an IT strategic service provider and Premier Consulting Partner in the Amazon Web Services (AWS) Partner Network (APN). In this role, Dustin focuses on helping customers adopt a holistic approach to developing and delivering sustainable platforms and solutions, while enabling technology organizations to optimize the entire operation: people, process, infrastructure, operations, development, quality, and security.

Pandemics, Recessions and Disasters: Insider Threats During Troubling Times

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Industrial Cybersecurity: What Every Food & Bev Executive Needs to Know

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

Poll

Who has ownership or primary responsibility of video surveillance at your enterprise?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Why security must be shifted left in a cloud-first strategy

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Why security must be shifted left in a cloud-first strategy

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.