Expert Views on Modern Cloud Security and Effective SAP Solutions

Source: Unsplash

According to Gartner, cloud security posture management is expected to rise to $3.32 billion in 2027, up from $1.06 billion in 2022, as more businesses entrench their cloud adoption and seek resilient protection.

In light of this reality, how must business leaders approach modern cloud security? This is pertinent because the cloud field is one that is rapidly evolving and the innovations of yesteryear are fast becoming obsolete. In this article, we consider various expert perspectives about how things are changing and how business leaders can adapt.

Rethinking Compliance and Risk

Organizations need a new approach to compliance. Today, for many businesses, security regulations and guidelines are no more than a set of checkboxes to be ticked.

However, the reality is that meeting the minimum compliance requirements does not offer sufficient protection, according to cloud security executive, Vladi Sandler.

In fact, it may open up the business to more risks since cybercrime actors are also well aware of the compliance requirements and will strive to launch attacks that beat those defenses. Therefore, in mitigating risks, organizations must see institutional regulations as a baseline but their actual security processes should factor in their unique risk posture.

This position was echoed by the authors of the book ‘Cloud Auditing Best Practices’, Shinesa Cambric and Michael Rotemo in an interview. Compliance regulations ensure that all organizations adhere to a minimum baseline, but compliance itself does not equal security.

And while meeting the minimum regulations is better than nothing, your target should go beyond the baseline and your audit processes should be more robust. With the current trend of pervasive cloud technologies, this is non-negotiable.

Source: Gartner

SAP’s compliance offerings help businesses achieve this by providing industry standards and regulatory requirements so that businesses can build a solid security foundation from the baseline – although, they should not stop there.

Cloud Data Security and Risk Management

Google Cloud overcomes the challenge of talent shortage in cybersecurity by, of course, training a new crop of experts, but also by adopting a secure by default, secure by design approach to cloud security.

According to Phil Venables, VP and CISO of Google Cloud, “we’ve got to think about how do we 10x the productivity of the cybersecurity and IT workforce we’ve already got… A lot of that comes down to the secure by default, secure by design, making these things just intrinsic to the products.”

More so, a secure by default approach serves the customer better too and strengthens security across the ecosystem – it’s not just a task management ‘hack’ for the vendor.

Being consistently conscious of your organization’s risks is critical, and that’s where the SAP Enterprise Risk Management software comes to the fore. It gives detailed insights into the main drivers of risks in your business and helps you minimize loss through strategic planning analysis.

In a recent interview, security expert Hari Ravichandran highlighted the fact that cybercrime has grown into a big business. It’s not perpetuated by some nerd trying out the latest hacking skills. It’s an entire business on its own and highly organized, down to the smallest detail.

Of course, this is not anything that anyone familiar with the industry did not know previously, especially with how invested state actors have become in the entire act. However, maintaining a perpetual consciousness of the fact helps put the state of the industry into perspective and should inform the urgency and pertinence with which cloud leaders must approach cybersecurity.

Source: SAP

Cyber Governance for the Cloud

Adopting cloud technologies requires some model of shared responsibility between clients and providers. When a party is not faithful to its responsibilities, it opens up the system to attackers.

Sadly, much of the blame goes to customers. According to analysts at Gartner, until 2025, the customer will be responsible for 99% of cloud security failures. To avoid this, organizations need to invest in holistic cyber governance that enhances their cloud security posture management.

For years, security leaders have been emphasizing the need for organizations to approach security in a business-inclusive manner. That is, to not consider cybersecurity as an add-on or nice-to-have; rather, it is a key business operational arm that directly impacts the organization’s capacity to generate revenue.

The side effect of this is, one, having security leaders as part of management boards, and secondly, driving meaningful investment towards cyber resilience. In this age of cloud computing, the temptation to do otherwise is high.

After all, your cloud operations is ‘just’ another feature that you can purchase from a vendor. However, this is even more dangerous and depending on the shared responsibility model between your company and the vendor, your security risks would be immense if urgent steps are not taken to remedy the situation.

According to Shue-Jane Thompson, partner at IBM consulting, modern security for hybrid clouds must be holistic, end-to-end, and embedded in all we do.

The National Cyber Security Centre of the UK recommends a lightweight approach to cloud security for organizations that do not hold or process sensitive data. Again, it is highly critical that a company’s cybersecurity processes align with its risk posture.

This prevents under-investing but also over-investing. The main danger in over-investing is the temptation to prioritize the wrong factors. However, the NCSC’s lightweight approach is a simple guideline for mitigating the most common cyber attacks.

Particularly, this approach is recommended for SaaS businesses that target a single problem and conduct business without necessary access to sensitive information.

The approach focuses on the following four areas:

• Data encryption – protecting data in transit and at rest.
• Authentication and access control – API security, two-factor authentication, single sign-on, privileged access management.
• Incident management – logging security incidents, incident response processes, and vulnerability disclosure processes.
• Governance – privacy policy, data collection, and processing jurisdiction, etc.

What ties up the four areas is governance. Encryption, authentication, and incident management come with ease when there is a streamlined approach to data governance, which is what SAP Cloud Identity Access Governance facilitates.

Cloud technologies are associated with complicated access management; leaders and IT teams need a tool that can intelligently optimize access assignments and simplify risk management.

Conclusion

The cloud is not going anywhere; it has come to stay. Therefore, business leaders must adopt more proactive approaches to cloud security as they reconsider their risk posture and adopt inclusive governance practices.