It has been an interesting week for cybersecurity professionals in Singapore. Singapore’s Prime Minister Lee Hsien Loong highlighted the benefits of using commercial public cloud services in his address at the GovTech Developer Conference, while simultaneously highlighting the importance of cybersecurity as an integral part of Singapore’s Smart Nation efforts. The Monetary Authority of Singapore’s Cybersecurity Advisory Panel also put out a list of recommendations, one of which was to encourage organizations to move to the public cloud where feasible because it offers security advantages that would otherwise be very difficult to achieve.
When advising security teams about cloud risks, I am often reminded of this epic courtroom scene between Jack Nicholson and Tom Cruise in the movie ‘A Few Good Men’ (warning: angry Jack Nicholson=aggressive language). In his rant to Tom Cruise (Lieutenant Weinberg), Jack’s character (Colonel Jessup) says, in reference to his role as the commanding officer of a frontline Marine unit:
“Son, we live in a world that has walls, and those walls have to be guarded by men with guns. Who’s gonna do it? You? You, Lt. Weinberg?”
Sounds familiar? Well, security and risk leaders have traditionally been comfortable with the notion of securing their data by putting a ‘wall’ around it – in other words, physical control by virtue of running all applications and storing all data in a company owned datacenter guarded by firewalls. Data location was used a proxy for greater control and therefore greater security. However, breaches did happen and arguably at a greater frequency than they do in the cloud. So, what happens when you move to the cloud? Do those walls disappear? Do organizations completely outsource security to the cloud provider?
The core concepts do not change, but the way they are implemented is quite different in the public cloud. For example, file sharing is one of the biggest drivers for adoption of SaaS collaboration platforms. However, open file shares are also the biggest risk! If CISOs (Chief Information Security Officers) were to sit on the wall (like Colonel Jessup) with a gun shooting down collaboration efforts, nobody would be happy. Ideally, CISOs should look to implement adaptive security controls based on the identity and device context of the users accessing these files. So the idea is for security control to move with the workload, user and data as much as possible, rather than being static.
Security in the cloud is not a ‘fire and forget’ exercise. Cloud provider brand names and lists of compliance certifications/assessments (yes, even Singapore’s very own MTCS) go only so far in generating trust. CISOs also need to investigate whether the cloud provider is able to support their security needs through a combination of native and third party controls, that the customer is ultimately responsible for implementing and deploying.
Security leaders need to apply controls appropriate to the risks they perceive may manifest in the cloud. More restrictive security controls (like higher degrees of encryption) can reduce security risk but typically also reduce agility and productivity (and usually cost a lot more as well). Security professionals in Singapore have a great opportunity to drive a nuanced discussion around adoption of cloud computing and change their relationship with their business counterparts. Their role should be to advise the business about the various risk treatment options in front of them as they embark on their cloud journey and therefore function as business enablers.
PS: Here is a link to a summary of Gartner’s published position on cloud security (credit to my colleague Jay Heiser for this paper originally published 2+ years ago: Clouds Are Secure: Are You Using Them Securely).
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.