Here’s how Middle East CISOs can embrace the cloud security model

The pandemic has caused a surge in digital transformation and cloud adoption globally, and the Middle East is no exception. To get the full benefits of cloud computing, though, enterprise IT leaders need to be aware that the technology has its own, unique security model.

To add value to their enterprises’ cloud journeys, CISOs will need to work with their technology teams and jointly define an approach to cloud security that takes advantage of its native capabilities and gives business the value they are seeking from digital transformation.

The cloud’s business proposition of reduced IT spending, enhanced disaster recovery and faster deployments have made it an ideal model for firms to adopt during the COVID crisis. In the Middle East, many corporate giants have already proved that they can meet their IT demands via cloud adoption. Recent high-profile examples include e-commerce marketplace Noon, which uses Google cloud, and Saudi Ground Services, with Oracle.

Middle East cloud adoption accelerates

With an increased focus on work from home and business continuity in the wake of the pandemic, the public cloud market in the Middle East is poised for tremendous growth. The GCC public cloud market, including IaaS, SaaS and PaaS, is expected to grow from $956 million in 2020 to $2.35 billion in 2024, at an annual growth rate of 25%, according to IDC.

CIOs in the region are facing increased pressure to cut IT spending and implement digital transformation that focuses on agility and reduced costs. Security of these cloud services however remains a top level concern for CIOs and CISOs who are either planning or well into their cloud journeys.

Common cloud security problems

Cloud security typically ends up as one of those areas which is either under-represented or over-controlled, leading to frustration in both cases.  Another problem companies face is that in their rush to accelerate cloud adoption, they either side-line cyber-security or quickly retrofit existing security services into the cloud ecosystem in a bid to save time and money.

“Copy-pasting” the existing on-prem security model into the cloud and expecting it to work just the same is a huge mistake and can lead to either failure or huge frustrations by not getting the desired mitigations. The cloud has it owns unique security model and copying on-premises habits can result in companies missing out on the powerful security features that are natively available in the cloud. As a cloud security practitioner for many years now, below are a few of the most important lessons I have picked up along the course of many successful (and not so successful) cloud projects.

Build your security skills in house

The Middle East has historically put a lot of reliance on consultants  and outsourcing to drive technology change, especially for strategic projects, and the cloud is no different. It is common for CISOs to call in external security experts to manage the risk of a six-to-12 month cloud migration but fail to keep in mind that the internal teams will need to run the security of the new cloud setup once these consultants leave.

The cloud relies heavily on technologies like infrastructure as code (IaC), containers, and serverless computing, and unless in-house cyber-security skills around these technologies are developed, security teams will be unable to later add value to decision making and find themselves being left out of the process by technology teams. 

The cloud has a learning curve which needs to be taken into account for major projects and practical knowledge of security-as-code, serverless computing and related technology should be made part of the teams skill set. This also helps to increase motivation and loyalty as the security team sees the investment that the company is willing to make in them for the long term.

 Identity becomes the firewall

In a large cloud implementation I handled in the UAE financial services sector, a lot of technology stakeholders were of the impression that your network security perimeter effectively dissolves in the cloud, which is incorrect. The perimeter is very much there but simply shifts from network defences such as firewalls and intrusion detection systems (IPSes) to cloud-based identity:  instead of focusing efforts on securing a network perimeter, we realize that every entity in the cloud — be it a user, partner or application — is represented by a cloud identity, which is where the controls need to be based.

Managing identity as the focal point of protection in the cloud is a much more effective way of controlling access compared to network security controls, as it forces you to authenticate against a single trusted source of identity and then use that to control access to applications, data, and systems.

Shifting to an identity management model doesn’t just mean enforcing multi-factor authentication and calling it a day, however. A proper strategy means linking cloud identities to context-based controls which make intelligent decisions based on location, risk level, device health, etc., and then allow (or block) access based on policies you define. In addition, these need to be linked to an AI-driven system which can learn the cloud user’s patterns over time and create a baseline against which to flag violations.

Finally, you should link the identities to a single sign-on (SSO) service so that this protection is consistent for all cloud applications and access can be revoked uniformly in case of a compromise.  While this might seem overwhelming at first, the good news is that most of the major cloud providers do have these functionalities built into their platforms and it is only a matter of enabling them for a cost.

Intelligently using threat intel

 One of the biggest advantages of the cloud is that it gives companies access to tools and technologies that would otherwise be out of their reach from a cost perspective. Threat Intelligence has always been one of the main pro-active measures which a company can take to defend itself and this is especially critical given that top economies in the Middle East saw nearly a 250% increase in cyberattacks in 2020 due to adoption of remote working.

Threat Intelligence has come a long way in the last couple of years from its early days of being primarily available via threat intelligence feeds from third parties. Advances in machine learning and big data now allow the ability to detect security events which would be impossible to identify manually due to the sheer volume of data that is generated. 

Most of the major cloud providers invest heavily in threat intelligence capabilities with security researchers having access to billions of threat signals happening across the globe and shared threat intel information from major providers. This enables early detection of new attacks and threats across their global infrastructure with this information being fed into their products and quickly available to their customers.

While this allows customers to keep pace with the rapidly changing threat environment, a lot of them also fail to do anything meaningful with this immense data. Once the early excitement of having this rich array of threat data to play with wears off, security teams will often face alert fatigue and become inundated with false positive notifications as the machine learning engine baselines what is normal activity for users. The best solution is to configure security automation playbooks so as to reduce security “noise” for the security operations center by resolving low level incidents automatically and allow security analysts to focus on actual events requiring their attention.

(Taimur Ijlal is an information security and data protection professional with more than 18 years of experience in cybersecurity, enterprise risk assessment and cloud technology.)