Charlie Winckless, VP Analyst at Gartner, explains that adopting cloud is essential for a modern digital economy, but it challenges traditional cybersecurity models. Organizations must form dedicated cloud security teams, establish Cloud Centers of Excellence, and avoid ineffective organizational patterns.
Adoption of public cloud services is now the norm, rather than the exception. Gartner survey shows that 94% of surveyed organizations agree that public cloud is a crucial part of their digital business initiatives.
The trend towards cloud migration has numerous advantages, but it also poses a significant challenge to cybersecurity operations. Nearly every aspect of cybersecurity, including common domains and clusters, must now be implemented in the cloud. However, existing cybersecurity models and skillsets are primarily tailored for on-premises environments rather than the cloud.
Cybersecurity leaders, including CISOs, cannot ignore the inevitability of cloud adoption and the changes it entails. They must adjust their operating models – including team structures, communication channels, and skills – to accommodate a business landscape where cloud is integral.
CISOs who are responsible for creating effective cybersecurity programs must consider the following recommendations to fulfill the promise of the cloud without putting the business at undue risk.
- Assess the Need for A Dedicated Cloud Security Team
According to Gartner, cloud spending is expected to maintain a compound annual growth rate of over 17% until 2027. This indicates that there will be an increase in the number of workloads and applications being transferred to the cloud, making it crucial for organizations to effectively secure these workloads. These workloads may be hosted on one or multiple hyperscale cloud providers, such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
Therefore, organizations need to structure their teams — and the skills of their teams — to accommodate this new landscape. The need for a dedicated team within an organization is determined by its use of cloud technology, taking into consideration factors such as the importance to the organization, the complexity of the adoption plan, and the level of self-service provided by business units.
- Organize Around Your Cloud Operating Model
Organizations adopt various cloud operating models. An organization’s cloud security model should be customized to fit their specific cloud operating model.
During the early stages of cloud adoption, organizations often do not have a designated “cloud team.” Instead, technical personnel from various departments form a cloud committee, tiger team, pilot team, or cloud center of competence. This group is typically informal and relies on best efforts. As a result, responsibilities for the cloud are usually assigned to the departments that already have those responsibilities for on-premises operations.
Gartner recommends that organizations create a cloud center of excellence — an enterprise architecture function responsible for cloud governance — along with a cloud platform operations (CPO) function responsible for cloud technical implementation. The CPO function acts like an internal managed services provider (MSP), providing consultative capabilities, platform capabilities and day-to-day operations on behalf of application teams.
Another model in which application teams are fully responsible for the infrastructure, operations, and security of their entire application stack, including cloud resources. This “extreme DevOps” (or DevSecOps) model is common at the extremes and is often seen in cases of unregulated initial cloud adoption and in well-established digital organizations.
- Cloud Center of Excellence
One important aspect of organizing for the cloud is establishing a CCoE (Cloud Center of Excellence). A CCoE serves as a central point for consultation, helping to manage chaos and establish governance. Proper cloud governance is crucial in mitigating the risks associated with adopting cloud technology.
A CCoE is typically sponsored by executive leadership, since its responsibility extends well beyond cloud governance. It is typically staffed by cloud enterprise architects and is a consultative enterprise architecture function. The organization’s cloud computing advisory council (CCAC) typically provides strategy and policy feedback to the CCoE. Security and risk management (SRM) typically has at least one representative in the CCAC, and therefore has some formal ability to influence the CCoE.
- Organizing Cloud Security Responsibility
Cloud security is no different in outcome from regular security, but is often delivered differently; thus cloud security must have the same security clusters as on-premises security. Which teams these clusters fall into are variable, but they must be aligned with the cloud operating model that the organization overall has selected.
Security operations decisions will be partially based on skill and maturity. As an organization progresses in their cloud journey, traditional teams will incorporate cloud functions and the SOC will handle cloud incidents, oversee threat detection in the cloud environment, and manage additional services from cloud providers such as threat intelligence.
- Avoid Cloud Organizational Antipatterns
There are some clear antipatterns that will inhibit cloud adoption and always result in poor outcomes. Organizing your team around one of the following antipatterns must be avoided.
- Total absence of the cybersecurity team from cloud initiatives.
- The cybersecurity team dictates everything without collaboration with the business or operations.
- Lack of collaboration between security, cloud engineering and CCoE.
- Confusing cloud security and governance.
Cloud security includes all the same security components found in on-premises environments. Successfully implementing it is not as easy as creating a separate team solely focused on cloud security. There is no single correct method for organizing for cloud security, but there are certain patterns to avoid. In addition to avoiding those patterns, it is crucial to structure your organization around your chosen cloud operating model to achieve optimal results.