Earlier this year, Google Cloud CISO Phil Venables authored a defining blog post about eight industry “megatrends” that are helping to drive cloud adoption. All eight, he explained, also intensify the security advantage of cloud versus on-premises environments – for example, the cloud encourages more eager security innovation, operates with a “shared fate” model, and accommodates speedier security features in updates.
But cloud is unfamiliar territory for many organizations, especially when it comes to detection and response because it is an environment – and attack surface – that can look quite a bit different than protecting the traditional data center.
How does that affect how a company perceives and addresses risk? Google recently partnered with Cloud Security Alliance to create a survey evaluating methods for measuring risk and risk governance.
These were the major findings of the survey, taken directly from the report, which you can download here:
As organizations adopt cloud, they are challenged to evaluate risk.
Internal data classification schemes and manual digital asset management methods are still the primary ways organizations are collecting, tracking, and organizing cloud assets. There is little consistency in how data is classified across cloud platforms and services.
Cloud risk evaluation faces challenges with growing business adoption of cloud
With cloud adoption numbers increasing, respondents shared that services are often evaluated at procurement only and not re-evaluated as product features or business environments change.
Tools for quantifying and measuring risk need to improve
Popular risk scoring tools for quantifying and measuring risk are not meeting expectations but there is a distinction of what tools are working better than others.
Monitoring, measuring, and reporting risk is difficult
A lack of reliable risk measurement has caused organizations to use more qualitative and less quantitative risk measurement methods.
Of course, any technological transformations as broad in scope as cloud deployment require an adjustment to the risk, compliance and audit practices that ensure they’re safely managed. But you shouldn’t assume that adopting cloud computing means there is more risk to manage, or that it will result in a net increase in risk at all. Cloud is as much a means of managing your security, resilience and other risks as it is a risk in its own right.
This Google Cloud whitepaper, “Risk Governance of Digital Transformation in the Cloud,” offers excellent suggestions for reducing risk in the cloud, including prioritizing organizational readiness, communicating with boards, and extending continuous monitoring.
It is that last recommendation which speaks to Autonomic Security Operations and its principle of continuous detection and continuous response (CD/CR). ASO is a combination of philosophies, practices, and tools that improve an organization's ability to withstand security attacks.
From a strictly detection and response perspective, an unfortunate common theme of many cloud migrations is that security operations requirements get deprioritized when organizations have tight timelines and budgets to drive their teams to the cloud.
This is because most SOC teams are too busy fighting proverbial fires and don’t have the spare cycles to focus on adapting their use cases to cloud workloads and modernizing their own infrastructure. However, moving to the cloud should be looked at as not only an opportunity to modernize the business, but a clean slate to revolutionize your security operations and the tech stack you use to support it. You can learn more by visiting chronicle.security.