Topics in this article

In 2021, McKinsey found that cloud adoption by US Fortune 500 organizations could generate about USD 1 trillion in value by 2030. Late in 2022, they extended this forecast to Forbes Global 2000 organizations, which bumped up the figure to USD 3 trillion by 2030. 

The cloud is clearly becoming the engine of enterprise operations. Yet, despite this growing dependence on the cloud, one important topic is often overlooked: security.

Some organizations have a limited understanding of cloud hosting and don’t know how to secure their cloud workloads, while others believe that security is solely the duty of the cloud service provider. Either way, the absence of proactive security measures leaves them vulnerable to potentially serious breaches.

In the financial services industry, for example, a breach could affect business continuity and disrupt services such as mobile money, internet banking and ecommerce platforms – damaging brand perception and loyalty, and ultimately leading to customer attrition.

No strategy means more risk

Organizations that want to migrate services to the cloud need a specific cloud strategy to support these goals and their overarching business objectives – yet many don’t. Their adoption of cloud computing is instead driven by less well-considered reasons: “We should move operations to the cloud because our peers or competitors are doing it, so it must be a good thing.” Or, even worse, “We allocated funds to this in our budget that must now be spent.”

Security should be a key element of any cloud strategy. For reasons of accountability and liability, cloud service providers adopt a model of shared responsibility with their clients, depending on the type of cloud computing service they’re providing – infrastructure as a service, platform as a service or software as a service. So, the cloud strategy must set out the client organization’s security obligations within a secure-by-design architecture that proactively mitigates risk.

The threats associated with cloud computing include:

  • Insecure application programming interfaces (APIs): A major risk: amid the proliferation of IoT devices and data-based applications, there is also a higher number of system and application integrations to support data-based decision-making.
  • Malicious insiders: Users with malicious intent may already have access to cloud servers and administrative functionality, which means they can easily launch attacks.
  • Denial-of-service attacks: These render cloud-based business services inaccessible by shutting down or severely slowing network traffic, for example.
  • Misconfiguration: On the infrastructure side, subnets, load balancers, virtual machines and other technology may have misconfigured settings that could leave an organization vulnerable to data breaches.

Keep an eye on compliance and assurance

Another risk area is legal and regulatory compliance. Under the European Union’s General Data Protection Regulation (GDPR), for example, even less severe infringements can lead to a fine of EUR 10 million or 2% of a firm’s annual revenue, whichever is higher, or up to EUR 20 million or 4% of a firm’s annual revenue for more serious violations. In our globalized society, most countries have now put in place legislation on data protection and privacy.

Assurance – the process of ensuring that customers receive the services they have paid for smoothly and effectively – is also a vital area, as it limits interruptions to company operations. This means services must be accessible when they are needed, and data that is saved or processed in the cloud should not be intercepted or changed without accountability. Most importantly, only employees with the appropriate access rights should be able to access the data.

Therefore, organizations’ cloud strategy and security policies must address these issues.

Who looks after what in cloud services?

The shared responsibility for security in cloud-based ecosystems is typically divided as follows:

  • Client organizations are responsible for authentication and access control; the encryption of client data or at server and network level; customer data, platforms and applications; and the operating systems, networks and firewall configurations that form part of their core infrastructure.
  • Cloud service providers take care of the machinery that supports their cloud services, including facilities, networks, hardware and software. While software security criteria relate to computing capacity, storage management, databases and networking, for example, the hardware criteria take into account regions, Azure Edge Zones and Amazon Web Services (AWS) Availability Zones, among others.

Automation makes life easier

Organizations can address cloud security issues in several ways, but it can become a pricey exercise – both financially and in terms of potential security breaches.

Automation can help to maintain consistent security levels across rapidly changing on-premises and cloud-based environments while allowing organizations to meet their goals for time savings, agility, scalability and cost-effectiveness.

In this way, they can automatically monitor cloud-based applications and infrastructure on major platforms (including Google, Microsoft, AWS, SAP, Oracle Cloud Infrastructure and Verizon), continually improve their security posture and maintain their compliance with data and security regulations.

How we can help

The cloud delivers many advantages to organizations, but it also comes with unique security challenges. Cloud-based infrastructure is very different from on-premises data centers, and traditional security tools and strategies do not apply.

That’s why, at NTT DATA, we have tailored a range of managed cloud infrastructure services – including Managed Public Cloud, Managed Private Cloud and Managed Infrastructure Services – that cover all your organization’s cloud needs, end to end. We have more than two decades of experience and accredited expertise in a variety of cloud environments, and we’ll find the cloud solution that’s best for your organization.

WHAT TO DO NEXT