Legacy infrastructure modernisation and cloud migration programmes should consider a cyber-forward cloud strategy to implement the relevant mix of security, trust and business agility, and enable a stronger consumer experience.
Increasingly, global organisations are migrating from legacy on-premise infrastructure to the cloud in order to achieve greater business agility and resilience with a modern IT approach. Yet too often, cloud migration and cybersecurity are considered separately, with different teams focussed on different phases of what could be a shared process. With cybercrime estimated to cost US$6 trillion annually by the end of this year,1 cloud migration raises the cybersecurity stakes. At the same time, despite the benefits—and even though “security and data protection” is a number one or two top driver for cloud migration2—investment in integrated cloud cyber technology strategies is often lacking. Deloitte & Touche LLP’s 2019 Future of Cyber survey found that 90% of responding organisations spent 10% or less of their cyber budget on cloud migration, software-as-a-service (SaaS), analytics and machine learning.3
Indeed, many organisations are moving fast to migrate to the cloud without paying enough attention upfront to security.
This points to an opportunity for cybersecurity modernisation that drives business and technology resilience—wherein cyber can become the differentiator to provide consumer trust. An integrated cloud cyber strategy enables organisations to use security in their transformation in a way that promotes greater consumer trust, especially in today’s digital age.
Achieving this combined approach often requires bringing together cloud and security specialists with shared goals and a modernisation programme that balances agility with security and consumer trust requirements.
For organisations looking to enhance business and technology resilience, increase security and cultivate trust during their cloud migration, a conscious decision to embrace cloud “security by design” can be essential. By pursuing security by design, organisations can benefit from:
This article asserts the importance of taking a conscious approach to “security by design” (focussed on mission-critical business applications) to guide greater collaboration between cloud and cyber teams and to drive greater agility, security and trust.
Based on our research, which combines primary data analysis, secondary research and internal interviews with nine Deloitte executives versed in cloud and cyber strategies, we’ve detailed specific considerations for organisations embarking on the cloud migration journey.
Deloitte Global’s fourth annual readiness report survey data, based on responses from 2,260 C-level executives and senior public sector leaders,4 found that organisations with more mature cloud and cyber technology strategies tend to be more resilient than respondents overall as well as those with only advanced cloud or advanced cyber strategies. Those with a mature cloud and cyber strategy scored the highest when answering questions related to how well their organisation is doing using advanced technologies to "become more resilient and agile" (75% versus 53% overall) and "to predict future trends, risks and threats" (70% versus 49% overall). While a cloud or cyber strategy advances resilience about equally when combined, cloud and cyber are a force multiplier equating to two times resilience/agility compared to organisations with no cloud or cyber strategy (see endnote 5 for detailed analysis methodology).5 See Appendix: Integrated cloud cyber strategies drive greater business and technology resilience.
Ultimately, the cloud and cyber teams should come together managed by a modernisation and migration Center of Excellence (CoE) leader (often the digital transformation leader) and enabled by cross-teaming, cross-skilling and a shared operating model. Once in place, the operating model can be used to guide greater collaboration, co-ordination and implementation across controls and risk management and compliance practices in a way that builds in security at the IT infrastructure layer while promoting the business (and ultimately) the customer experience.
This integrated team may need to collaborate around:
In many organisations, cyber entities are siloed from the rest of the organisation, often with minimal and/or incomplete transparency, which can impede trust. As companies migrate to the cloud, this issue will likely grow—and perhaps the migration itself become more difficult.
This makes security by design by an integrated team more critical. Indeed, evidence suggests this is already happening. Our interviews reveal that the biggest cloud-security shift has been a move away from developers handling security towards a more collaborative model across the technology C-suite. As recently as five years ago, a chief information officer (CIO) could oversee and fund cloud-migration projects, without security involved until the end. Today, there is more co-ordination among the chief security officer (CSO), chief information security officer (CISO) and CIO,6 and this collaboration should trickle down into the modernisation and migration CoE, allowing ownership to shift clearly across shared operating and responsibility models, from pre-contracting and across the development process.
This conscious, integrated approach can be used to help guide baseline analysis and security requirements during discovery and cloud vendor selection; to determine the shared responsibility model across the integrated CoE team with the cloud vendor; to set up guardrails within the IT infrastructure itself; and to manage DevSecOps processes with the applicable mix of talent and technology in place.
Pre-contracting, many cloud vendors expect a minimum baseline of analysis and security configurations that are handled by the client. These differ for each cloud vendor. Cloud teams can benefit from their cyber colleagues’ perspectives to better address these areas during contracting. Post-contracting and during implementation, a joint cloud-cyber team approach can accelerate the team’s ability to understand, assess and reconfigure the cloud environment. It can also better position and prepare the CIO/CISO to perform the required third-party cloud vendor analysis risk assessments on business operations sustainability. This activity can even be written in the contract as ongoing annual activity for business continuity to avoid a “vendor lock-in” situation.
Additionally, in an ever-evolving cyberthreat landscape, cloud vendors could have insight into new cloud security product developments and implementation considerations and innovations to factor in to the operating model. In 2020, for example,
Furthermore, better awareness of compliance reporting requirements when negotiating cloud provider contracts can help to determine that the data will be shared at the frequency required for reporting. To that end, a government organisation was looking to report patching data to demonstrate continuous compliance, but data reporting at the frequency needed was not part of the cloud service-level agreement (SLA). To address the issue, it was able to pull source code data and integrate it into a manual reporting process. However, this could potentially have been a smoother process if addressed at the time of contracting.9 To avoid challenges like this, assess these reporting needs and adjust SLAs or determine alternative reporting solutions.
According to one industry study, 66% of surveyed executives report using cloud providers for baseline security; 73% believe public cloud providers are mainly responsible for securing SaaS solutions; and 42% believe they are responsible for securing infrastructure-as-a-service (IaaS) solutions.10 Yet, while an organisation might lean on the cloud provider for secure data centres and infrastructure, a shared responsibility model gets an organisation only so far. It’s still the organisation’s responsibility to secure the data and applications in the cloud. An integrated cloud cyber team enables clearer demarcation of where the organisation’s responsibility ends and the cloud vendor’s begins (and vice versa) and guides on how to approach ongoing monitoring.
Unlike in an on-premise environment, with cloud, physical infrastructure is rented and shared operating models may vary based on several contributing factors. For example, 40% of US states are operating in a federated model where the CISO oversees enterprise policy and agencies lead shared services; 10% of US states have a decentralised model where the CIO advises individual state agencies on policy.11 Such has been the case in the New York City Cyber Command Initiative, where the project’s deputy CISO and the agency’s head of threat management adopted cloud technology to access security data from a government network-connected device in the city.12
The threat landscape is continuously evolving with malicious actors employing new cyberattack tactics drawing on cryptocurrency mining and ransomware malware,13 cyber artificial intelligence (AI) strategies that propagate data poisoning, generative adversarial network attacks and bot manipulation.14 Staying one step ahead of these attacks will require keeping up to date on the latest cloud cyber innovations. Our analysis of US patents applied for and granted between 2018 and 2020 shows that:
While there were approximately 1,500 patents related to cloud security in 2018 and 2019, that number dropped to 500 last year, presumably due to the pandemic.15 Thus, integrated teams with a solid backbone—operating model, processes, and controls—could be even more critical.
All information on cloud security patents is sourced from Derwent World Patents Index via Quid (https://quid.com). The purpose of the analysis is to identify general themes in cloud security. Deloitte did not review any individual patents in preparing this analysis.
DevSecOps enabled the cloud engineering team to better plan the architecture of the environment and build the cloud infrastructure to enable a secure migration.
With security central to the vendor selection and responsibility model creation, the security team now has a strong vantage point to embed security into the cloud migration process by setting up base guardrails and minimum configurations to protect deployment before migration activities begin. For example, workload protection and secure landing zones can create a standard configuration template that is scalable and sustainable for rapid deployment of future applications without the need for reengineering. Given the cloud methodology is meant for Agile and DevOps, an organisation without secure DevOps could be undertaking a significant amount of risk and it could be an additional component to managing development during the migration process.
DevSecOps enables organisations to embed security into their workflow rather than as a bolt-on to development.16 This allows developers and security professionals to have the shared goals of secure configurations continuously monitored, remediated and managed for cybersecurity that drives creation of agile, resilient solutions. One insurance company, for example, migrated hundreds of applications to the cloud. DevSecOps enabled the cloud engineering team to better plan the architecture of the environment and build the cloud infrastructure to enable a secure migration. These processes can be further complemented by security automation and orchestration tools to implement structured workflows, automate security tasks, and prevent and detect threats.
Across the C-level, the move from on-premise to cloud typically requires a security mindset shift—from managing physical infrastructure to monitoring access across a “stateless distributed environment.” Importantly, the controls framework should address network, platform and infrastructure; user and data security; and core application security.
“Security by design” enables cloud developers and security teams to build guardrails into the infrastructure itself, establishing agile and secure processes. Therefore, before developers gain access to the cloud environment, the CIO and team should consider the leading approach to secure the network. It might be to embed guardrails into the cloud platform itself with “security by design” IT infrastructure, or to put in place restrictive “security by design” IT processes (e.g., authorised users responsible for reviewing infrastructure and source code before pushing to production). Industry-leading practices are moving away from perimeter-based security towards zero-trust network security architectures,17 which enable more modular developer environments, as well as micro segmentation to allow for varying levels of infrastructure access and controls across the network, identity access and applications.
As an example of the infrastructure approach, one asset management organisation moved from private to public cloud and embedded hundreds of controls into the cloud platform at the code level before giving developers administrative access. These controls served as guardrails, resulting in the successful creation of a safe and compliant development environment.18
Alternatively, taking the process approach, another financial services organisation removed or highly restricted developer keys to shift access and processes for code deployment. This prompted a major cultural shift for developers who previously had been able to push application changes live more autonomously; the privilege was now restricted to a small group. To reinforce the new protocol, the organisation monitored for behaviours that deviated from the new controls process; in particular, one common scenario of developers now unauthorised to push live updates using a virtual machine to bypass the privilege-access management tooling, thereby potentially creating an exposed port. To address this risk, the organisation implemented a security orchestration automation and response solution, enabling the company to collect security operations data; built a business case to detect security configuration changes; and orchestrated a custom workflow resolution for reviewing them. This gave the firm required visibility for proactive network monitoring and the ability to close open ports.
Cloud migration often requires a new approach to identity. While previously physical credentials (e.g., building access) were acceptable authorisation, in a distributed system that can be accessed anywhere, user-level access credentials and key management may be required. Identity access management protocols can be fed into a modularised identity platform with user-level access requirements.19 A focus on data protection, privacy, resilience, and regulations can guide data access rights and user privileges. Executives should plan on balancing legal minimum requirements for encryption against too much encryption, which may slow down applications.20
Before moving data or workloads to the cloud, the cloud and cyber teams should determine that the following minimum controls are in place:
Cloud migration can reduce certain infrastructure security risks managed on-premise, with encryption, logging, private networking, monitoring, DDoS protection, automated patches and other elements built into the cloud environment. However, many migrated systems and applications were not designed to operate online. To avoid disappointment on this front, before the cloud migration begins, organisations can conduct a cyber risk maturity assessment21 to understand specific technology, regulatory, and insider and supply chain risks as well as recommended remediations.22
While some of these may be new territory for a cloud migration team, organisations face a number of potential technology risks to mitigate as part of their cloud cyber programmes where an integrated cloud cyber team can help create a more secure, agile and trustworthy outcome (figure 1).
Understanding technology risks can be critical—and potentially surprising for organisations that believe their systems to be well protected. One financial institution, for example, conducted a routine scan that found its technology stack had more than 100,000 built-in vulnerabilities, posing a high-security threat and requiring immediate remediation at the application, database, middleware and code levels. This risk, in part, prompted the cloud migration and is an example of the legacy on-premise platform and applications risk noted in figure 1.23 Had the cloud migration team opted to lift and shift the infrastructure without an understanding of these vulnerabilities first, the organisation could have shifted certain risks to the cloud.
In another example, a consumer goods organisation running an outdated operating system had its data centre taken over by ransomware when a software patch in the development environment went into production. Legacy security vulnerabilities that may have been somewhat protected by firewalls or perimeter security became exposed when moved to the cloud and weren’t remediated. Had the organisation had better orchestration across the cloud and cyber teams, with proper controls in place, this type of incident—which can significantly erode consumer trust—might have been avoided.
Managing technology risk requires a balance of understanding the existing and future technology at its core—a strength of the cloud migration team—and advising on how to desirably mitigate the vulnerabilities with a security approach rooted in leading practices across the four risk categories before the migration occurs and even before the cloud vendor is selected.
When assessing their cloud vendor and before migrating data or workloads, organisations should bring together cloud and cybersecurity teams to consider four essential regulatory compliance requirements that will likely impact downstream data workflows and system configuration, including global and regional data governance regulations, industry-based frameworks and broader technology standards, as well as US government-specific regulations (figure 2).
A large global multinational organisation doing work in the public and private sectors may have to contend with a larger number of data and technology regulations, while a smaller organisation may still need to consider some combination of data, industry-specific and regional regulations while devising its cloud data strategy and subsequent risk controls. However, even “smaller organisations” can still be subject to broader regulations across borders due to globalisation of data.
A regulatory risk requirement review performed by a collaborative cloud and cyber team can enhance understanding of existing data frameworks, relevant risks and required technology specifications to improve cloud vendor selection, SLA negotiations and contracting.
Finally, a cloud cyber risk programme should consider insider threats and the organisation’s supply chain as specific threat vectors to balance security and trust inside and outside the organisation and to avoid potential data leaks and spillage. Where the cloud migration activity could collide with insider risk is through sharing credentialed access or creating an open network access point. Cloud access security brokers that monitor for data loss and enforce controls across a multi-cloud environment are on the rise. They can help organisations to better manage internal threats24 and monitor for data loss prevention, which about 75% of organisations indicate to be an important element of cloud security.25
Managing cyber risk requires organisations to look inward and outward at different insider risks and potential points of vulnerability across their supply chains. This can be achieved by an integrated cloud and cyber team, with visibility and transparency, communication and collaboration and execution of an integrated compliance programme (and tooling) across the supply chain. For more on this topic, see Deloitte Consulting LLP’s Looking beyond the horizon: Preparing today’s supply chains to thrive in uncertainty.
Finally, the type of cloud programme itself will impact the operating model and subsequent programme. The following graphic details four common cloud programme scenarios and high-, medium- and low-complexity considerations for the integrated cloud and cyber team (figure 3).
Cloud developers can’t be expected to become security specialists overnight, or to stay on top of the evolving threat landscape. They can, however, embrace working on integrated cloud and cyber teams that bring target operating model, shift-left mentality, microservices, risk, control and compliance experience to bear during integral points in the cloud migration life cycle and with “security by design” principles. For these teams, here are a few parting thoughts to consider that can help guide the cloud modernisation and migration journey, bolster business and technology resilience, enhance security and reinforce customer trust:
By bringing together each of these components through a cloud migration CoE that includes an integrated team of cross-skilled cloud and cyber professionals, organisations can be better positioned to address the need for a broad “life cycle” to prioritise security risk levels and mitigate those risks with the proper governance, risk management and compliance across these security components. Ultimately, the cloud migration provides an opportunity for not just greater business and technology resilience but also potentially improved security and enhanced consumer trust.
Cloud is more than a place, a journey, or a technology. It's an opportunity to reimagine everything. It is the power to transform. It is a catalyst for continuous reinvention—and the pathway to help organisations confidently discover their possible and make it actual. Cloud is your pathway to possible.