Cybersecurity and risk management have moved on top of the boardroom agenda. According to a Gartner survey, 61% of chief information officers (CIOs) are increasing their investment in cyber and information security. The global research and advisory firm predict that the spending on information security and risk management technology and services will increase by 12.4 per cent by the end of this year(2021). Even more, telling is that companies started adding cybersecurity experts directly to the board.
The rise of the hybrid workplace and the need to switch to digital business models quickly have increased cloud adoptions. Securing cloud environments is a critical step in protecting a company’s journey to the intelligent enterprise to become more agile, sustainable, and resilient. Being more intelligent also means outwitting even the most sophisticated of cybercriminals and keeping company operations and data security.
Intelligent enterprises can safeguard their operations with an end-to-end secured digital core platform that can address, identify, protect, detect, respond, and recover against cybersecurity challenges such as malware, spear phishing, ransomware, and denial-of-service attacks (DDoS). It starts with integrating and correlating security and risk governance into the core business functions as the foundation for digital transformation.
Best practices to protect companies’ operations in the cloud are guided by three fundamental questions. First, who is managing the cloud? Many companies are moving towards a Managed Service Provider (MSP) model that includes the monitoring and management of security devices and systems called Managed Security Service Provider (MSSP). At a basic level, security services offered include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-malware services, among others.
Second, what is the responsibility shift in this model? There is always a shared responsibility between companies and their cloud infrastructure providers for managing the cloud. This applies to private, public, and hybrid cloud models.
Typically, cloud providers are responsible for the infrastructure as a service (IaaS) and platform as a service (PaaS) layers while companies take charge of the application layer. Companies are ultimately responsible for deciding the user management concept for business applications, such as the user identity governance for human resources and finance applications.
Third, how will all parties work together to maintain an environment free of vulnerabilities through an efficient patch management process? This can become a real challenge when handling complex applications that have multiple dependencies and run on older versions. It can be solved with a process that has assigned maintenance windows, proper testing of all dependencies, and automation in place.
Based on my experience and work with SAP customers, here are five proven tactics to secure and safeguard business operations in any cloud environment:
1. Focus on End-to-End Security Monitoring
Having an antivirus program and some type of internal security process is not sufficient anymore to defend a company against cyber-attacks and security breaches. Without the right technology stack and a skilled team, it is practically impossible to achieve the correct visibility, and without visibility, there is no efficiency.
Today businesses need three elements to ensure end-to-end security monitoring: a good cyber threat intelligence, and efficient security monitoring system, and a technological stack to rely on for detection and containment activities. It also includes threat modelling based on real-life threat intelligence to assess whether a specific indicator or activity is suspicious.
2. Pursue a Risk-Based Approach to Vulnerability Management
There is a general tendency to pay more attention to zero days vulnerabilities and simple vulnerability scanning processes than they deserve, especially when you compare the threat perception versus the reality of the threat. Zero days vulnerabilities are important metrics, but they are not the biggest issue for most organizations.
By taking a risk-based approach to vulnerability management companies can identify areas of real threats. This approach evaluates and prioritizes threats based on how easily they can be exploited and weaponized against the company. It allows to take down or implement controls for vulnerabilities that could be exploited by imminent threats specific to the current IT environment.
A good practice is to visualize the threats in a real-life exploitation index that maps how threats are applicable in the company environment based on the applications state. Almost every exploit has preconditions that will limit the applicability level, and consequently, the risk score or impact.
3. Develop Concept for Privileged Identity & Access Management
Assigning and managing access to company data is critical to prevent data leaks and breaches. Companies need a dedicated concept for privileged identity and access management that includes the following elements: identity separation of duties, roles and authorizations, dedicated monitoring for privileged access especially for customer environments, and direct integrations to the security monitoring platform.
The separation of duties, roles and authorizations should be discussed for specific security processes, such as encryption processes. For example, if all encryption keys are hosted securely in hardware security modules, the privileged users that may have access to them or to that specific Key Management System cloud service, should not have privileged access to manage the systems.
4. Cloud Security Posture Management
One of the most important security requirements for the public cloud is to avoid misconfigurations in the landscape and, if needed, to quickly remediate it. Misconfigurations can leave landscapes inadvertently exposed and vulnerable. The earlier misconfigurations are detected, the better. This is not just a question about having the right tools. Tools alone do not solve problems, people do.
By training teams on cloud security posture management, companies can catch misconfigurations early on, during the development and testing pipeline and throughout the deployment and operational central scanning. It also enables companies to be less reliant on default controls. They can expand the security coverage to monitor specific use cases that are relevant to their environment, regardless of the type of cloud platform.
5. Automate Incident Responses
Incidents need to be detected early on and solved quickly. In addition, the root-cause analysis needs to be fully integrated with the security monitoring architecture. Automation can accelerate the analysis and response to incidents. Playbooks and Runbooks eliminate repetitions and provide quick solutions for remediation. Automated incident responses go together with keeping a focus on end-to-end security monitoring (tactic 1).
Without visibility, there is no efficiency, and without efficiency, there is no real incident response. When defining the monitoring scope, companies should keep their data available for historical correlation and identification of slow attacks for at least one year. I also recommend adopting a hybrid or semi-automatic approach to the incident response that uses playbooks and runbooks to quickly respond while keeping the last response decision in the hands of the team’s security analysts.
By following these five best practices companies can create a solid security and risk management governance foundation to protect them in any cloud environment. Just remember, there is no status quo in cybersecurity and risk management.
Like gardening, security and risk management needs constant upkeeping as cybercriminals continue to look for loopholes. A good security and risk management governance system will help to future-proof your business by adapting to changes quickly.
To learn more about safeguarding the move to the cloud, please see the ebook “Your Accelerated Path to the Intelligent Enterprise” and check out the SAP S/4 HANA Private Cloud Edition (PCE) delivered by SAP Enterprise Cloud Services here.SAP
SAP is the world’s leading provider of business software – enterprise resource planning, business intelligence, and related applications and services that help companies of all sizes and in more than 25 industries run better. By extending the availability of software across on-premise installations, on-demand deployments and mobile devices, SAP enables people at the office or in the field to work more efficiently and use business insight more effectively. We believe that the power of our people, products and our partners creates significant new value and unleashes sustainable growth – for our customers, SAP, and ultimately, entire industries and the economy at large. Read Less