Konstantina Koukou is a well-rounded, tech-savvy electrical engineering graduate with a specialization in Information and Telecommunication Systems and has spent the last 12 years in the IT industry, with a strong focus on cyber security.
In this interview, Konstantina Koukou provides top-tier insights into significant cloud security challenges, discusses how to address issues, and starts a conversation around optimizing for cost. Increase your cloud security ROI by leveraging these essential thought leadership insights, security maturity models and best practices.
What are the top cloud security challenges that you’re seeing right now?
Companies that make the leap to the cloud, no matter their maturity in this journey, are facing some common challenges with their migrations. The challenges mainly consist of how to protect the data and critical applications, preventing security breaches, and simultaneously identifying attacks in a timely manner while reacting in accordance with an incident response plan.
Also, we are seeing an increasing number of companies opting for multi-cloud deployments. Sometimes, this is to avoid being tied to one vendor, but it can also come about because organizations want to make use of different services offered that fit a given security strategy. Multi-cloud deployments can create new challenges because companies need to not only have an eye towards one environment, but to control what is happening across environments that are very dynamic by nature.
Lack of visibility is a challenge, as is maintaining security compliance across the environments, and ensuring that the right security controls are consistently applied. These are mainly operational issues, but the challenges are amplified on account of the lack of qualified staff in cloud security – people who would be responsible for the design and maintenance of cloud compliance.
How can organizations contend with these challenges?
One of the most fundamental parts of addressing the aforementioned challenges and efficiently protecting every cloud environment is to start building the environment with security in mind. The shared responsibility model demands that every organization design their own migration strategy to the cloud – including the security controls.
Unfortunately, we see a lot of organizations migrating to the cloud, turning them into production sites and then post-migration, or after a security incident, start thinking seriously about applying adequate cyber security controls. Being proactive can save you from some trouble.
As a next step, organizations should start thinking about how to leverage automation and orchestration tools to ensure security control implementation. Lastly, efficient tools are needed in order to gain central visibility for all security threats and to identify, in real-time, any potential misconfigurations that might be exploited by a threat actor.
How can CISOs become more “fluent” or capable when it comes to cloud security skills?
Undoubtedly, CISOs coming from the traditional IT world have to change their mental models to the ones that befit the cloud. Firstly, they need to be aware of the differences between on-premises cyber security threats and the cloud ones. For example, in the traditional on-prem data center environment, hackers would aim to gain access to exposed systems and steal data from databases, bypassing the layered security protections that a company has. Critical data, in this case, would never be exposed to the internet, as it can be exposed today in publicly accessible storage buckets. The use of APIs that are now so widely used in cloud was previously limited. APIs should be thought of as endpoints, for which we need to secure access, permissions and privileged access to.
When organizations are in the lift and shift part of cloud journey, the environment in the cloud looks pretty familiar to what CISOs were controlling in the on-prem era. However, as the journey gets more cloud-native, by adopting serverless technologies, getting independent from the hardware and using code as the primary source of delivering services and value to the customers, to ensure greater time to market, things become a little different.
CISOs need to re-gain their seat on the table, be involved starting day zero in the cloud migration projects and in partnering with the cloud teams to extend and adapt the security management processes around risk reduction and compliance in the cloud.
The security team needs to learn how work at the speed of DevOps, develop the skills and the expertise to integrate the security practices at their speed and gradually start to incorporate some aspect of DevSecOps within the organization.
How can businesses optimize for cost in relation to cloud security, if at all?
To be honest, the greatest cost is actually coming from failing to invest in robust cyber security controls in the cloud. The implications are more than obvious for a business that doesn't protect its critical infrastructure and doesn't provide timely responses to disruptions caused by cyber attacks.
Organizations can optimize their cyber security spending on cloud by wisely selecting which solutions to use. Significant savings can be achieved through consolidation, which can offer broad benefits and can help organizations meet cyber protection objectives 24/7. The solutions should optimally be able to protect all working cloud environments that an organization has. This means that organizations sometimes have to turn away from native cloud security controls and opt for a strategic collaboration with a cyber security vendor that can cover as much of their security need as possible, eventually leading to increased overall security and potentially, to reduced costs.
For more cloud insights, please see CyberTalk.org's past coverage. Lastly, to receive more timely cyber security news, insights into emerging trends and cutting-edge analyses, please sign up for the cybertalk.org newsletter.