For enterprises that not only want to survive but compete effectively against their peers, the adoption of cloud computing has become an imperative.
More and more enterprises are opting for a multi-cloud strategy to take advantage of the different services offered by different vendors. However, as enterprises embrace the benefits of multi-cloud, they are forced to face the reality of increased security risks.
Transformation requires IT leaders to rethink their data protection and governance strategies. How they should deal with new cloud-native attack vectors that do not exist in the world of premise-based data centres is a topic that experts gathered to discuss at a recent TechCentral round table.
The concept of taking people off premises and in certain cases moving them to a hybrid model has been accelerated by the Covid-19 pandemic. 3Sixty Health CIO Tshepo Motshegoa says his company has all its staff working remotely, which has brought a level of complexity to its operations.
Ajay Sharma, vice president and head of technology for South Africa, Europe and Australia for EXL, says security is becoming more of an issue and attackers have changed their methods because of the shift to working from home. “The attack surface has changed significantly in the last year since Covid came into the picture.”
The attack surface, Sharma says, is either the device, or the people using it. He explains that people are accessing work functions through many devices, which are all at risk. In addition, other devices are being exposed now, such as network file servers and application servers.
Despite the security challenges, moving to the cloud is worth the risk, says Dereshin Pillay, head of digital design at Digital Innovators. The benefits of going into, or adopting a cloud or multi-cloud strategy far outweigh the disadvantages, he says.
However, Pillay says there are challenges. Typically, those are caused by people, though, and not IT systems. This is where aspects such as compliance, governance, and the supporting policies and procedures need to be in place and enforced effectively. Without these, an employee could leave and have access to the work environment for several days after departing, for example.
The adoption of multi-cloud is not the issue; rather, it’s the effective management of it.
Governance is so important when it comes to a cloud migration because business loves cloud, adds Nico Kotze, head of IT security at the Momentum Metropolitan Group. “They love the energy, the engineers, the techies absolutely love this new toy they can play with. I call it the ‘Ooh, shiny thing’ syndrome.”
The issue of security and protecting the cloud is, however, bigger than any one company, says Charles Kungwane, chief information security officer at Motus. “It should be a holistic, countrywide approach — for example, the consolidation of government infrastructure. One of the reasons why cloud was implemented was to minimise the cost of ownership around infrastructure.”
Kungwane, calling for partnerships to secure the cloud, adds that this will also help drive down the cost of ownership.
However, Armscor’s executive manager of cybersecurity, Nhlanhla Mabaso, points out that government, through the ministry of communications & digital technologies, has announced a draft policy for comments on government’s data and cloud policy. The aim is to create a secure private cloud infrastructure.
This will allow South Africa to benefit from what the cloud offers but also provide a space for greater control and an opportunity for greater innovation. This will also extend to entities that government partners in the private sector and community institutions.
Cybersecurity operations manager at Telesure Joseph Stokes says there is more complexity to the issue of cloud security, pointing out that everyone is rushing to get the compliance checkboxes ticked before July, when the Protection of Personal Information Act (Popia) comes into full force. Yet few organisations have done proper, third-party risk assessments. “There’s a big difference between just risk management and cyber-risk management, to really articulate and bridge that gap between technical and business,” he says.
Sasol delivery enablement lead and DevOps advisor Bramley Maetsa says his company has an aggressive plan to make certain its compliant with Popia by the end of June. “We rallied everyone; we have all the workstreams on board.”
Maetsa’s colleague, Lungile Mginqi — who has the role of group information officer – adds: “It’s more about making sure that everyone is aligned with our policies in terms of what our expectations are in those areas (when it comes to ensuring security).”
Nedbank lead architect of information security and blockchain Adele Jones explains that the bank has implemented a multi-cloud strategy and its identity management system, which was already mature, could just absorb that change. “Cloud just adds a different technical context to your identity management problem, but your identity management problem stays the same.”
Telkom has seen an acceleration regarding its identity and access management programme due to the new way of work. With this increase in digital identities, there has been an increase in credential theft attempts and the like, says Telkom corporate information security group executive Funzani Madi. As a result, he says, the focus is shifting from zero trust on the network to zero trust in terms of digital identities.
Discovery’s senior platform services manager, Johan Marais, says that technology can be part of the problem. “Part of what we do is we enable people. And part of our function is to bring the latest and greatest tech to them, where it makes sense, to make sure that we can enable business to develop faster, at a better pace.”
However, when you add in ease of use, there is risk because the cloud moves faster than the traditional IT landscape, he notes. “The enablement and the rate of change is, I suppose, part of the biggest problem here — and if your policies and governance procedures aren’t in place to tackle these.”
- This promoted content was paid for by the party concerned