Newsletters
Risk Central
Digital Edition8 Cloud Security Megatrends and How They Play into Organizational Cyber Risk
Many companies and organizations have become very familiar with the use of “cloud” software, which allows its users to store its data in an off-premises proponent. While the implementation of the cloud has become widely known, risk managers still feel hesitant to fully accept its capabilities for two main reasons:
- The cloud forces risk managers to trust a third-party entity.
- Organizations still face a gap in understanding the true magnitude of cyber risk.
Many risk managers are still familiar with on-premises data infrastructure because that’s simply all they have experienced. But the cloud data infrastructure provides its users with more security than on-premises capabilities.
Despite concern from risk managers to fully embrace cloud software, these programs have been, and will continue to be, a critical lynch point for how organizations operate within the cyber landscape. And because the cloud and its technology are constantly evolving, identifying and understanding current trends about the software, which include its possible benefits and risks, is critical for stakeholders.
Luckily, a session at RIMS 2022 conference in San Francisco did just that. The session, “Cloud Computing and Cloud Security Risks,” brought three Google employees to discuss everything to know about the cloud.
The speakers included Monica Shokrai, head of business risk & insurance, Google Cloud, Kathryn Shih, group project manager of security for Google Cloud and Gerald Cowen, head of sale for Google’s risk protection program.
The session centered around 8 cloud security megatrends and their importance in organizational cyber risk.
Cloud Security Megatrends
1) Economies of Scale
A decrease in the standard cost of security capabilities will result in an increase of the baseline level of security, or the security’s overall performance.
Shih said, “[The cloud] is an example of a high fixed cost problem, coming up with the procedures to ensure availability or that [operations] are properly maintained, [and that is] expensive and time consuming. But once you have those procedures, it’s typically not as difficult to scale them to additional infrastructure.”
She continued, “By moving to the cloud, customers are able to shift this high-cost provider that can then spread that high cost across many customers with favorable unit economics. That’s just one class of problems that stops being an issue for the individual customer.”
2) Healthy Competition
As the cloud becomes a more streamlined tool for companies and businesses, it’s natural for various providers to desire to offer the leading technologies in this space. This healthy competition has enabled the cloud technology industry to be with innovation, which allows for the cyber insurance industry to constantly one-up the bad actors looking to infiltrate organizations.
3) Software-Defined Infrastructure
Because cloud technology is a software-defined infrastructure, it does not require for humans to manually manage the software or “cope with administrative toil,” according to the session. This not only allows for a more seamless setup, but security preferences are established by code, so a user simply has to check up on the security’s efficiency.
This infrastructure is certainly useful in the scenario of discovering a vulnerability within a system and deploying the necessary resources to patch it.
Shokrai said, “We no longer have this on-premises software environment where when a bug is found, there’s a lag between finding that bug and distributing the patch of that bug.”
All in all, the software-defined component transfers a large portion of the responsibility to the cloud infrastructure, which makes a cyber risk manager’s job more efficient.
4) Simplicity
Though cloud technology can feel complex to those only familiar to on-premises software, the cloud cannot only “identify, create and deploy simpler default modes of operation,” but these modes of operation then work “securely and automatically,” according to the session.
The simplicity of the cloud technology allows organizations’ cyber risk mitigation efforts to work smarter, not harder.
5) Shared Fate
What is shared fate and how does it relate to the cloud? To discuss shared fate, it’s important to understand the term “shared responsibility.” Cowen explained, “Shared responsibility starts with this concept: the cloud provider provides the security of the cloud and the client, or the application, will provide security in the cloud.” It serves as a symbiotic relationship where one cannot survive without the other.
Shared fate is a transition and step forward from shared responsibility, which places a continued trust into cloud software and a healthy pressure to enhance security from a provider end.
6) Cloud as the Digital Immune System
According to the session, because the cloud providers can provide hyper-specific mitigation efforts for each organization’s needs, “every security update the cloud gives the customer is informed by some threat, vulnerability or new attack technique.”
Like an immune system, cloud software remembers which methods or attack techniques have been used to cause illness and attempt a breach.
7) Increasing Deployment Velocity
Cloud software operates differently from on-premises infrastructure in that its much more efficient in almost every aspect. In this trend, the cloud’s ability to automate software and system updates, especially with the use of automated continuous integration/continuous deployment (CI/CD), allows for organizations to receive more frequent security clean-ups.
8) Sovereignty Meets Sustainability
Cowen noted that while sovereignty and sustainability are conjoined in this trend, they exist as two separate entities.
The component of sovereignty is particularly important as it allows organizations to have more power when it comes to their cloud capabilities.
Cowen said, “The beauty of the cloud is that when you have a data center in a region that’s enabling [an organization] to meet those third party requirements, organizations can now specify the policy, where you can build policies that will only allow users to build infrastructure in these places.”
He continued, “While that may not have been an obvious concern before, [the cloud] is now enabling [organizations] to meet internal and external obligations to help know where [data] is.” &
