Moving Cybersecurity to Cloud Infrastructures

11/10/2023

Organizations are turning to cloud technologies to reduce costs and increase flexibility and agility. It is reported that the biggest challenge in transitioning to cloud storage technologies is the adoption of cloud capabilities and the difficulty of integrating them with existing information technology environments. Allocating cloud security is now considered part of regular operations. Since 2020, the number of cyberattacks has been steadily increasing, and phishing attacks, in particular, are among the most common incidents. Organizations are allocating more of their cybersecurity budgets to cloud security, with the main reason being that data breaches and attacks have become more costly due to unplanned expenses to address security vulnerabilities.

The survey found that the top two goals of cloud adoption are to reduce costs and improve security. Supporting remote workers ranked third, which indicates that the pandemic may have accelerated cloud adoption, but cost-efficiency and security are the most significant drivers. On average, organizations report that 41% of their workloads are already in the cloud, and they expect that share to increase to 54% by the end of 2023.

According to the Digital Transformation Office Cloud Storage Technology and Regulations report, based on the responses of 43 out of 57 institutions, highlights several important findings:

It's observed that at least 25% of applications are set to transition to the public cloud, and there are no significant obstacles for 50% of them to move to the public/private cloud with minor modernization.

Inefficient resource consumption, the lack of isolated layers for inter-application service integration, the inability to manage regular archiving, backup, and deletion processes are seen as obstacles to cloud services.

Prority in cloud storage services lies in ensuring accessibility, followed by ensuring privacy and integrity.

Research results suggest that when examining critical and strategically important applications developed by organizations, these applications can predominantly be positioned in a general cloud storage model, with a transition to a private/internal cloud storage model to be considered later.

Cloud service requirements are primarily shaped by accessibility, followed by privacy and integrity needs.

When strategic applications are examined, it's evident that they are predominantly suitable for a public cloud hosting model, followed by a private internal cloud hosting model.

When evaluating cloud migration options for selected strategic applications, options like Reengineering, Repurchasing, and Rearchitecting are more dominant in cloud migration compared to Rehosting.

Approximately 69.8% of institutions are in a position that poses a risk in terms of cybersecurity. Given that resource usage in IT operations is generally at average levels, it can be inferred that cybersecurity will play a significant role in migration strategies. (The Table3, Statistical Values in Report)

When evaluating cloud migration options for selected strategic applications:

The options of Redesign, Repurchase, and Replatforming appear to be more dominant choices for transitioning to cloud technologies, followed by Rehosting.

Considering that approximately 70% of organizations are considered to be at risk in terms of cybersecurity, it can be inferred that cybersecurity will play an important role in migration strategies.

From the recommendations:

In cases where the volume of data in the service received by end-users is small, but the data used in the server-level database is large, it is advised to host web servers on the public cloud.

For the database or middleware layer, it is recommended to be positioned on private cloud technologies, utilizing a wide bandwidth for database read-write operations, thus enabling hybrid solutions (where both public and private cloud usage is managed together).

According to the Cloud Security report published by ISC2 in 2022, here are some global statistics on cloud technologies and adoption:

Globally, more than 39% of companies store over half of their workloads in the cloud, while 58% plan to make this change within the next 12-18 months.

Over 76% of companies utilize two or more cloud technologies. Most organizations (72%) have a hybrid or multi-cloud deployment strategy in place.

Additionally, 78% of companies claim that traditional security solutions do not work effectively in cloud environments or have limited functionality.

In the report, it's observed that 93% of the IT executives from companies surveyed in the ISC2 study are concerned about a significant skill shortage among qualified cybersecurity experts.

Furthermore:

53% of companies see the main obstacle to transitioning to cloud-based security solutions as the shortage of cloud security experts, and 38% state that this shortage makes cloud compliance and migration processes more challenging.

The lack of expertise in Cloud Security technologies for about 40% of organizations. The good news is that 83% of companies believe that their teams will benefit from cloud security training and/or certification, and 56% consider cloud security skills to be the most critical expertise area that their organizations need.

Barikat’s The Secure Information Technology Unit can provide the following contributions:

1. Creating Awareness through Education:*A Gartner study indicates that 70% of global business operations have adopted general cloud technologies, and 50% of businesses plan to embrace multi-cloud technologies by 2025. Therefore, it becomes crucial to create awareness through educational programs such as webinars, effective product usage training, and consultancy services.

The Secure Information Technology Unit, can organize training programs, webinars, product usage workshops, and consultancy services to raise awareness within the organization about cloud technologies.

2. Identifying Business Needs for Cloud Migration/Modernization: It's essential to determine the specific business requirements related to scenarios for transitioning to cloud technologies. This includes identifying needs for change management, go-live processes, problem management, software development, backup/archiving processes, and monitoring the dependencies of the digital infrastructure.

This helps clarify which applications and processes will move to the cloud.

3. Automation, modernization and Software Development Support: Recognizing that cloud environments can be configured much like code, the unit can encourage automation and ensure that software development environments possess this capability. This accelerates the transformation and plays a crucial role in evaluating vulnerabilities and addressing issues through analysis and mitigation.

4. Alignment with Cloud Technology Models Despite statistics showing a different picture, there is a significant trend toward modernizing and moving applications to cloud service providers, especially for applications with lower security sensitivity and cost-effective solutions. The unit can help organizations align with cloud technology models such as SaaS, PaaS, or others, based on their specific needs.

5. Promotion of Collaborative Work Methods: The preference for implementing effective cloud usage in software development processes is evident, with 86% advocating for the application of collaborative methods like DevOps, DevSecOps (combining software development, security, and operations teams). This emphasizes the need for effectively positioning services like Secure Information Technology Consulting, Code Security, and SAST/DAST SCA Analysis in the software development lifecycle.

In summary, the Secure Information Technology Unit can add value by enhancing awareness, determining business needs, supporting automation and software development, aligning with cloud technology models, and promoting collaborative work methods to facilitate a successful transition to cloud technologies.

The Secure Information Technology Unit can assist in managing the transition to cloud technologies successfully and securely, helping businesses carry out this transformation effectively.

When we look at the reality of cloud environments, it can be shaped like a configuration file for all network and system infrastructure, just as software is code. Errors can be minimized through manual intervention when necessary. Furthermore, having software development environments with this capability accelerates transformation. Independent product management and, especially, automation support are crucial for evaluating vulnerabilities and conducting analysis work, followed by problem mitigation.

Despite statistics showing a different picture, there is a significant trend where 25% of applications are adopting the SaaS model, and the %12 of applications PaaS model is also preferred by a percentage. Moreover, unless applications have high security sensitivity and are cost-effective, there is a strong inclination, around 81.5%, towards modernizing and transitioning all applications to cloud service providers.

When asked which cloud technology model they would prefer, the majority, around 86%, opt for applying collaborative work methods such as DevOps and DevSecOps in software development processes. This highlights the importance of effective positioning of services like Secure Information Technology Consulting, Code Security, and SAST/DAST SCA Analysis in the software development lifecycle.

In companies, security teams that ensure or audit data and information security are prevalent, making up a significant proportion at 93%.

Therefore, the definition of Secure IT should involve engaging with these teams, and their requirements can be outlined as follows:

Infrastructure needs (database, virtualization, SDWAN/VLAN, virtual network, etc.)

Application needs (modernization, app service, .net core transition, etc.), and 81.4% of organizations manage software development lifecycle separately and focused by a dedicated team.

Platform requirements, designing services for transitioning from VMware/HyperV virtualization to container/microservice architectures.

In the transition and operational processes of cloud services:

Enhancing SOC mechanisms (79.1%) by providing value-added services such as cloud transformation, EDR (Endpoint Detection and Response), Secure Web Gateway, SASE (Secure Access Service Edge), API Security, etc.

Evaluating the intersection clusters of IoT (Internet of Things) and industrial services in the cloud.

Exploring new technology usages, including blockchain, container applications, automated testing, API gateway, SSO (Single Sign-On), digital identity, and access management.

Enhancing security service quality by procuring security services and managed services from security service providers (e.g., DDoS protection, IPS, Firewall, WAF, CDN, SASE, CSPM, CNAPP, Kubernetes Container Security, Antivirus, APT detection, Content Filtering, etc.) and optimizing the usage of licenses, including both purchased and BYOL (Bring Your Own License) licenses.

Most importantly, understanding the standards that cloud service providers must adhere to in ensuring security, how to implement them, and the legal framework, regulations, and certifications that must be obtained.

These steps are crucial for maintaining security and compliance in cloud service adoption and operation.