Achieving Secure Cloud Transformation

online meetings / virtual events / digital conferences / video conferencing / remote teams
Mixetto / Getty Images

Security has emerged as the most significant barrier to organizations pivoting to the cloud.

The rapid exodus of ever more critical data and applications off-premises has coincided with a rapidly growing industry with innumerable cloud providers, platforms, and apps, yet one without a standard or coherent framework for data protection and governance.

It’s a situation that has given rise to the term Frankencloud, and for organizations without a genuine cloud-ready security strategy, the risks and implications can be very ugly indeed.

A group of senior technology leaders from across the Association of Southeast Asian Nations (ASEAN) region recently sat down together for a roundtable discussion on this vital topic, sharing perspectives across industry sectors as diverse as healthcare, government, financial services and telecommunications.

The broad consensus was that organizations need to bring an equal, if not greater, focus and vigilance to cybersecurity in the cloud as they do currently in their physical on-premises environments.

At the same time they need to shift their mindset, not just in terms of legacy technologies vs the cloud, but also legacy ‘attitudes and thinking’.

COVID-19 has elevated the importance of having this conversation now, as the volume and sophistication of cyberattacks has exploded in the months since the pandemic took hold.

Charles Kennaway, Asia region sales lead for cloud security leader Zscaler noted that while there were around 1,200 reported cyberattacks throughout ASEAN in January, by March that number had exploded to 380,000.

“The scale of what the bad guys are currently up to is very worrying,” he said.

Ransomware attacks saw the biggest jump, in large part due to the increased vulnerability of staff working from home and therefore isolated from colleagues, particularly the IT and security managers who might advise on safe practices and how to identify things like phishing attempts.

The importance of staff being able to literally stick their head over an office partition and confer with a colleague about something that seems weird or out of place has been brought into sharp focus by COVID-19, as swarms of malevolent actors swoop in to take advantage of the situation.

No countries or major cities in the ASEAN region have been spared from the onslaught.

“Ransomware has certainly increased in the Philippines,” said Florante Igtiben, IT director with the Philippines’ National Economic and Development Authority, adding that this has coincided with the organization migrating more apps to the cloud as part of its digital transformation. “It’s timely for us to be thinking specifically about security in the virtual environment.”

Many large organizations throughout the region - and the world - had been in the midst of large and ambitious digital transformation projects when COVID hit, which suddenly exacerbated the typical security challenges and concerns that come from migrating away from old legacy systems and practices.

Of course, certain industry sectors have faced a greater volume of cyberattacks throughout COVID-19, including healthcare, which has been beset by multiple challenges. Maintaining patient care while migrating all but essential staff to work from home has been challenging, especially for an industry that has been slow in its digital transformation, particularly in Asia.

In the healthcare sector, veritable armies of staff have been working remotely via VPN and connecting to the cloud using mobile devices without adequate security awareness, making them especially vulnerable to cyberattacks. 

Daniel Lui, chief information officer and VP operations with Thailand-based Pacific Healthcare has seen it all firsthand.

“We have seen people attempt to sign in from countries we don’t even operate in,” he noted.

For companies such as Pacific Healthcare - and many of its competitors in the sector - the necessary exodus of staff beyond the company firewall and into the cloud means that establishing a truly secure environment is more important – and more challenging – than ever.

People’s well-being, and often their lives, are at stake, making the often time-consuming and tedious work of establishing proper security safeguards non-negotiable for healthcare providers. As it should be for any organization with a proper sense of responsibility and self-preservation.

“It can be a labour-intensive process achieving security outside of the perimeter, especially when you need to deal with multiple Microsoft licenses to achieve security, for instance,” Lui explained.

Trust only what you control

Training your staff to have greater awareness and vigilance around cybersecurity is extremely important. And often it’s the simple things, such as educating people about suspicious emails and attachments, that can make a real difference.

A growing percentage of all cyberattacks have their origins in email communications, with the vast majority of ransomware attacks launched in this way.

CK Tho, system integration architect with telecommunications solutions company Edotco Group said the cloud is changing how organizations need to think about cybersecurity.

“The way you secure the cloud is very different from securing on-premises,” he said, stressing that single-factor authentication is no longer an option. “Multifactor authentication is essential.”

Eric D’Angelo, CSO and CISO with Dell Technologies noted that today’s organizations are grappling with a completely new reality requiring greater vigilance.

“We’re seeing customers trying to go down a zero trust model, which means essentially don’t trust what you can’t control,” he said.

But such an approach is easier said than done, especially when your staff need to collaborate and work from whatever environment they may have found themselves in.

Zscaler’s Kennaway urged organizations to develop fluency around concepts such as ‘native digital’ cloud security. “This includes having a properly managed ‘digital exchange’ and an uncompromising commitment to zero trust,” he explained.

Ultimately, it comes down to organizations breaking down and managing complexity within their expanding cloud environments, which demands proper visibility into every aspect of the organization that touches the virtual world.

And organizations must have full visibility and control over every user, especially those working beyond the firewall.

This critical aspect ensures that employees have the right technology to do their jobs competently and securely while having the necessary training and education to identify and flag, at a minimum, the most obvious breach attempts, and ideally move towards eradicating cyber risk altogether.

Copyright © 2021 IDG Communications, Inc.