CIO Insight: 3 Top Takeaways on Cloud Security
By Chris Chelliah
Security is the hot topic of the day. It’s hardly surprising given the increased number of attacks and the fact that there is a job deficit of two million cybersecurity professionals in Asia. It was also a key focus of the Sydney CIO Virtual Executive Summit run by Gartner’s Evanta. I spent some considerable time discussing the latest trends in securing cloud environments, strategies for ensuring security is front-of-mind for cloud deployments, and the need to balance on-prem and cloud cybersecurity, there were three clear takeaways.
Making security more consumable for developers
Companies still face a challenge getting cloud security treated as a key priority by their development teams. As a result, it is still too often being added on as an afterthought rather than being baked in upfront, making it clear that we still need to find different ways and means to make security just as consumable by developers’ resources as any functionally-oriented resource.
Allied with this approach is the adoption of a ‘champion’ by security organisations. This model relies on the security function proactively skilling up specific individuals, within the development team, to adopt and promote security best practices amongst their peers. This approach contrasts with the attempt to inculcate security practices in the Software Development Life Cycle (SDLC) via top-down, DevSecOps enforcement.
Related to this first challenge was another interesting suggestion - namely to build production first – by that, I mean that there is the need to flip the traditional approach of building a dev and test environment first and then production. Rather, take your production environment as the model (with production-grade security built-in) and use this as the basis for spinning up new environments, so that they automatically come with all the security elements around them. This helps ensure we don’t bring bad (i.e. insecure) practices into Prod from Dev/Test.
Bringing security together on-prem and cloud
The second takeaway that clearly came out was the fact that there is still a clear line of separation between on-premises and the cloud in many companies, in terms of the teams that operate them, their mindsets, and their respective operating models – currently both domains remain quite distinct. From a cybersecurity perspective, this is accompanied by a strong belief that there isn’t a way of easily spanning both domains i.e. the people, process, and technologies involved may have to remain disparate. Given the reality that a threat may well span both domains I know that addressing this gap, at least from a technology perspective, has been an intense focus of Oracle’s own efforts in this area. I think this area is critical when we consider the fact that hybrid models will be the reality for most organisations for many years yet.
There are certainly tools out there that do both. Here at Oracle, we have announced the Data Safe Cloud Service for On-Premise databases a few months back. This helps to establish a common data security control plane for both cloud and on-premise databases, providing a unified view of a company’s data security posture across both domains. This approach is also in-line with the need to reduce and rationalise the sprawl of disparate security technologies that many security organisations are faced with today.
Innovation demands diversity
Finally, for me, the third takeaway was that perhaps we need more of these discussions to simply learn and look for new options. This thought particularly occurred to me after having been involved with the APAC Digital Defence hackathon. It aimed to find new and innovative ways of finding solutions to the cybersecurity challenges we are all facing. The landscape and threats are changing and we need a diversity of approaches and ideas to try to keep one step ahead of the attackers. The hackathon provided an excellent forum for incubating innovative approaches to cybersecurity – sometimes the best ideas are driven out of this organic approach.
Given that security really is a shared responsibility, are there any lessons you can share about how security has been addressed within your business that might help add to this conversation about what has been successful?
(The writer is SVP Customer Strategy, Business Development, and Insight, JAPAC at Oracle Corporation)