Author : Robert Clark - Principal, Cyber, Risk and Regulatory, PwC United States
Source : https://www.pwc.com/us/en/tech-effect/cybersecurity/enable-cloud-compliance-cybersecurity.html
Clearly, businesses are keen on the cloud. In fact, 56% of respondents to PwC’s Cloud Business Survey see cloud as a strategic platform for growth and innovation. But there’s a disconnect between enthusiasm and returns. More than half (53%) of companies have not yet realized substantial value from cloud investments. One explanation is that relying on third-party cloud providers can increase vulnerabilities that erode trust in the business.
Another reason: Companies don’t always see the full spectrum of cloud risks. Insufficient, often poor, planning can yield slow, over-budget implementations. In fact, a scant 17% of chief risk officers (CROs) and chief audit executives are brought in to cloud projects at the planning stage. Most come to the table much later, during requirements gathering.
Early examination of risk can make cybersecurity a powerful enabler of growth, one that delivers broad business transformation and a fast lane to the future.
Risk specialists: Help your cloud transformation team address these three key areas
To help achieve a compliant, secure transformation, organizations should explore three key areas of cybersecurity, privacy and compliance:
Most organizations, especially public ones, allocate significant time and resources to address requirements for these areas. The potential trouble starts when companies don’t take into account how a cloud transformation can change the requirements and create long-term barriers to regulatory compliance. Integrating compliance and security requirements at the onset can help effectively manage requirements and avoid the costs of retrofitting security programs.
Guard the access points to — and within — the cloud and resident applications
In a perfectly secured business world, all job responsibilities would be segregated and privileged access would be strictly restricted to help reduce risks and protect data. But we don’t live in that world.
Today, threat actors expertly exploit misconfigured cloud services to gain access to a company’s network, encrypt data and then demand exorbitant ransoms to restore the data. Most business leaders recognize the threats: 58% forecast increased attacks on cloud services in 2022, the highest of all incident types, according to PwC’s 2022 Global Digital Trust Insights Survey. Given the speed and cunning efficiency of today’s threat actors, executives have cause for concern.
Not all cyberattacks carry the thumbprints of external actors, however. Intentional and unintentional actions by employees and trusted third parties can also expose data to compromise. Here’s how: Developers with access to production systems might unintentionally modify production data, believing that they were in the development environment. Similarly, developers with access to production might unwittingly promote unapproved changes into production. And users with elevated access might perform actions that violate security and privacy policies.
Segregation of duties, which separates access privileges needed to complete a process among multiple users, and stringent access controls can help companies shut down these insider threats. To secure accounts that have access to cloud services, businesses should:
Configuring segregation of duties and privileged access is always a tradeoff between accepting more risk in return for lower costs and speedier deployments. Following are questions you should ask to strike the right balance:
Careful consideration of these questions can help you avoid compliance issues during the project and down the road.
Design privacy into the cloud
Privacy is a complex discipline that is becoming more byzantine as regulations proliferate and consumers protect personal information. Managing these shifts requires a skilled team of privacy practitioners who help maintain compliance and apply complex privacy requirements to business problems. These skills need to be complimented by a team of security specialists that know the application layer of security to translate privacy requirements into actual application security settings.
Not so long ago, a few people in the legal department could manage privacy needs. Today, that takes much larger teams. Yet the talent squeeze for skilled workers makes it doubly difficult for organizations to build an effective privacy team. Business leaders are beginning to voice concerns: In our Cloud Business Survey, 52% of executives said a lack of tech talent is a barrier to realizing cloud value.
Making matters worse is a general lack of proficiency in privacy. Consider, for instance, that almost 40% of organizations don’t understand privacy violations and cloud risks arising from third parties and suppliers. What’s more, data governance is the backbone of privacy, yet only one-third of survey respondents have a formal data governance program.
Following are questions that can help you understand why you need to incorporate privacy into your cloud journey:
Now’s the time to connect with your company’s privacy team and map out answers to these questions — and a new privacy plan.
Build in leading cybersecurity for the cloud
Cloud transformations will almost certainly impact an organization’s cybersecurity program and posture. Depending on the nature of the cloud transformation, the impact could be consequential.
Key questions to consider to gauge the impact of cybersecurity and privacy on cloud transformations include:
PwC’s cloud security risk framework comprises 8 key enablers of cloud transformation
PwC cloud security risk framework
From risk to confidence to payoffs
Despite the challenges, there’s cause for encouragement. C-suite executives understand the critical role of cloud in both defining and achieving their company’s growth and operational ambitions. It’s also promising that organizations are prioritizing investments in cloud security to unleash innovation, boost resiliency and reimagine the business. Doing so can help transform risk into confidence — and ultimately, tangible returns on cloud investments.
Date of Input: 24/05/2022 | Updated: 30/05/2022 | nurmiera
Tingkat 2,
Blok F, Bangunan Sekolah Perniagaan dan Ekonomi(SPE),
Jalan Persiaran Tulang Daing,
Universiti Putra Malaysia,
43400 Serdang.