Reward versus risk: five tips for navigating security in the cloud

Whether businesses were prepared or not, COVID-19 has ushered in the next era of enterprise cloud adoption. Some organisations were, of course, well and truly on their cloud journey well before early 2020 but there is clear evidence that cloud uptake has accelerated at a previously unforeseen pace.

What’s become clear now is that there is no going back. Mass adoption of Software-as-a-Service (SaaS) and collaboration applications was initially seen as a stopgap measure to maintain business continuity during lockdowns but has quickly become the norm for employees and customers. In fact, according to a recent ONS survey, 85% of UK workers want to maintain a hybrid working approach.

Cloud technology is the only viable way to power the future world of remote and hybrid work. Only a cloud-based infrastructure can provide the scalability, flexibility, simplified costs, and improved user experiences required to create a secure and agile working environment from any location. For many, migrating to the cloud is an opportunity to reimagine business operations, innovate, and even open up new revenue streams, but these new approaches call for a cyber security rethink. So, what can organisations do to improve their risk posture as they evolve their cloud strategy and start to fully realise the rewards that this technology can provide? Here are five tips for navigating security in the cloud.

Recruiting and retaining diverse cloud security talent

Esteban Hernandez, security specialist at Amazon Web Services (AWS), discusses how organisations can recruit and retain diverse cloud security talent. Read here

1. Cyber hygiene is critical but different

Securing the cloud is not the same as securing on-premise infrastructure. Blending SaaS and Infrastructure-as-a-Service (IaaS), in addition to the fact that many hyperscalers are software-defined, means that traditional enterprise security controls don’t always translate. Organisations can’t simply replicate what they had before, but in the cloud. Firstly, when a business takes the leap to the cloud, one of the most important things is knowing where data is located and how it flows. One of the key observations of the last year is that the cloud has become a complex ecosystem of employees, customers, partners and providers so maintaining visibility of this data has become much more difficult. As a result, basic hygiene has unintentionally worsened for many businesses over the last year. By focusing on the fundamentals of cyber hygiene through asset and inventory management, vulnerability and configuration management, businesses can understand where their most valuable information is stored, who has access to it, where vulnerabilities lie, and how it can be properly secured.

2. Get the right skills and knowledge onboard

It’s difficult to remember a time when there wasn’t a constant wave of security threats. The good news, however, is that operating in the cloud can simplify some aspects of security and, as such, can actively reduce an organisation’s security risk burden.

That said, vulnerabilities are unfortunately a fact of security life so it’s important for an organisation’s team to have the skills and understanding to securely architect the cloud but maintain security post-implementation. With the rate of change in the technology industry, it’s not uncommon for cloud providers to make changes or updates on a daily basis. This level of fluctuation, coupled with the sheer number of security products and services, can naturally be overwhelming if a team doesn’t have the right skills. Whilst it’s important to start with the correct knowledge internally to support early migration decisions, it’s also fundamental to offer ongoing user training and education to avoid any data challenges later down the line.

How the tech sector can provide opportunities and address skills gaps in young people

Adrian Overall, CEO and founder of CloudStratex, discusses how the tech industry can provide opportunities and address skills gaps for young people. Read here

3. Upgrade your monitoring and detection capabilities

Moving workloads to the cloud isn’t a case of ‘setup and go’. Businesses need to consider how and where they will monitor their operations to gain visibility into potential risks once migration has taken place. The challenge here is joining the dots between fragmented APIs, systems and applications, and importantly, seeing what’s happening in real-time.

It’s a good idea to understand what native monitoring capabilities a chosen cloud provider can offer. Cloud native controls offer a rich view of activity and can be useful for detecting any suspicious activity. On top of this, businesses should also conduct their own assessment from end-user to the cloud to identify other potential loopholes. A useful framework such as MITRE ATT&CK should be used and combined with company-led threat intelligence to highlight current tactics and techniques that pose a potential risk.

4. Stay ahead of the next threat

Cloud platforms are constantly improving their security services and capabilities. But, just as technology keeps advancing, so do the threats. Organisations need to adopt a continuous risk-led improvement cycle which translates to continual updating and patching. The future of cloud security is heading towards automation, however, there is still work to do to achieve this. In the meantime, businesses should look to adopt a zero-trust approach as part of their defensive strategy, assuming that all applications are potentially malicious before verifying and then only trusting.

Predicting the future of the cloud and open source

Heikki Nousiainen, CTO of Aiven, provides his predictions for the future of the cloud and open source technology. Read here

5. You don’t have to go it alone

There are many potential business benefits to garner from migration to the cloud, but there are also some pretty serious consequences if a business misses the mark. What’s clear is that maintaining security in the face of the increasing pace and volume of threats can’t be addressed singlehandedly by any organisation. Companies should seek support from external partners to augment and bolster their in-house capabilities — and ensure they get it right. Partnering is a tried and tested way of accessing knowledge about hyperscale services, the constantly evolving threat landscape, as well as cross-industry experience to avoid mistakes others have made.

Cloud services provide an incredible opportunity to focus more on the outcomes and less on the technology. In today’s digital-first world, organisations that make the move will achieve the greatest gains. But, while the cloud provides a number of clear security advantages, it’s important to be aware of the new risks moving to the cloud brings. Ultimately though, if done right, the benefits of moving to the fast, flexible and agile cloud still hugely outweigh the risks, especially in the longer term.

Written by Tris Morgan, director of global advisory at BT

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at