Experts at Zscaler’s APAC CXO Summit discuss how multicloud strategies drive organizational change
The need for increased agility, scalability, and performance is driving enterprise public cloud adoption. But the race to the cloud introduces new risks: cybersecurity gaps, misconfiguration, and post-breach vulnerability to lateral movement.
Enterprises often start their cloud journey with a single provider to house a selected number of application workloads. This first step is relatively simple. Over time, however, more and more workloads are migrated to the cloud—often into different public cloud providers. Multi-cloud infrastructure strategies create a whole set of new challenges. Organizations need to refactor or rebuild applications for cloud-native services, provide user and customer access, and ensure that the traffic is secure. But leaders can leverage these challenges to create better, more agile, and more secure infrastructure.
With public cloud service spending expected to reach over $330 billion this year, I found the latest Zscaler Virtual CXO Summit relevant and intriguing. Zscaler SVP Rich Campagna moderated a panel session that included Ventia General Manager Cyber Risk and Resilience Jon Rolfe, Aditya Birla Capital CISO Makesh Chandramohan, and Uniting CISO Doug Hammond. These CXO transformation experts discussed their organizations’ cloud journeys and the challenges they overcame on the way. The topic is crucial for most organizations as more companies adopt cloud and mobile deployments globally.
Watch the APAC Virtual CXO Summit, “Reducing the Risk and Complexity of Secure Cloud Deployment.”
Here are some of the key takeaways from the conversation.
Moving to multi-cloud environments to enable agility and adaptability presents new infrastructure and security challenges.
Most organizations have at least some cloud presence. Often, the starting point is a “lift and shift” strategy that moves a specific use case into a single cloud provider. It's relatively simple and not too unlike a traditional data center. But over time, organizations expand their cloud footprint. This can create issues of visibility and complexity.
Aditya Birla Capital CISO Makesh Chandramohan commented: “The first multi-cloud challenge is visibility. Who is doing what, where? The CISO and team need to consider how to know what traffic workflows are moving between clouds.”
He expanded further: “Obviously, getting clarity around roles and responsibilities is another big challenge. The IT team clearly owns on-prem data centers. But what about public clouds? Who handles data security, infrastructure configuration, software updates, etc.? These can be big challenges in public clouds like Amazon or Microsoft.”
Doug Hammond, CISO at Uniting, jumped in with issues around increased complexity: “Each cloud has a different set of tools that come standard. There are different ways of configuring them. There are interoperability challenges, authentication challenges, and workload hand-off concerns. Multi-cloud deployments can create a huge level of complexity just reconciling standards across the different cloud infrastructures and on-prem.”
Cloud vendors innovate rapidly, which makes staying on top of changing parameters challenging.
Cloud providers innovate and update their services often. Take Microsoft Azure as an example: there are more than 600 separate and distinct services listed. Developers and application teams want to use those services. And these services and features go through a constant process of updates and improvements.
Doug commented: “For a lot of these services and controls, you have very little ability to influence or modify the change. It is a service. And, and that's, that's one of the issues with, with, with cloud services is it's very easy for the business to just, you know, kind of quietly in the background without the security or technology being, being involved.”
Jon Rolfe, General Manager Cyber Risk and Resilience at Ventia, noted that these updates and changes could create security staffing demands: “As we acquire different organizations, we've moved into a multi-cloud strategy. I have a small team, so I’ve taken to using security consultants to do periodic risk assessments to supplement my internal teams.”
Makesh agreed and added: “We can’t continue with an outsourced partner as a maintenance strategy. Upskilling IT teams must be part of your cloud strategy. Every month, we organize on-prem training so that IT teams are not completely out of the code.”
Multi-cloud creates a need for culture and process change.
Dealing with new service and application deployment in multi-cloud environments means that teams can’t remain siloed and uncommunicative. New deployments must combine with other cloud deployments. It’s crucial to create a unified development environment that works with IT.
Makesh opined: “Moving to a public cloud forces people to think about DevOps. It’s one of the best ways to increase productivity and speed. And the moment you start talking about DevOps, you can immediately move to DevSecOps. Make security a part of the operations and ensure that there are no last-minute issues or delays involving cloud security.”
Thinking about security as part of development is essential, as Doug pointed out: “We've used friction to our advantage. We’ve developed standard, pre-approved security processes patterns. There is no friction if teams are developing according to those patterns. If they think they are special, then the friction levels go up exponentially.”
Threats like ransomware mean a need for better security: cloud security for cloud environments.
The threat of new and targeted malware and cyberattacks—especially ransomware—means an increased need for a cloud security solution. The panel discussed some strategies for multi-cloud operators to use against threats like ransomware.
Doug uses cloud security concerns as a way of updating security standards: “There was a degree of nervousness around the cloud from its inception around security. We've used that to make sure that security was baked in. Part of our cloud migration is a recognition that we needed to get serious about security.”
Jon commented how multi-cloud deployments could increase the attack surface, and on the importance of user responsibility: “We’ve taken to filtering the content, removing rights, and rigorously training users. We've got a reliable cross-section of the organization that we can trust to report suspicious activity.”
Doug elaborated: “My response to users saying ‘don’t you trust me?’ is always ‘it's not that I don't trust you, it's the people that are pretending to be you.’ Social engineering, impersonation, targeted phishing—these are my concerns. It's hard for us to tell the difference between the real user and the bad guy pretending to be the real user.”
Some final thoughts from successful transformation leaders.
When it comes to multi-cloud security, it’s important to understand that any point of contact is a possible avenue of compromise. John stated, “We've taken a trust no one approach. We're scanning content inbound, outbound internally, as it moves around our network.”
Doug concluded that the current environment is a huge opportunity: “Security is a hot topic at the board level. Board members recognize their roles and responsibilities. So it's our opportunity to shine and provide the support and advice they need to inform security decisions.”
Watch the APAC Zscaler Virtual CXO Summit video here. Keep an eye out for the next CXO Summit series coming in the Fall.
What to read next:
CIOs zero in on zero trust in inaugural podcast