Security is the number one concern for organisations looking to commence their digital transformation journeys via migration to the cloud, according to global cybersecurity experts.
Speaking at a Zscaler-hosted lunch event attended by Fifth Quadrant last week, Alex Woerndle, who is an analyst at Ecosystm and on the Board of the Australian Information Security Association, said that organisations need to move away from this outdated view.
“Security is absolutely being seen as a road blocker to innovation, and it’s a roadblock to transformation and it’s a roadblock to improving a business,” Woerndle said.
Citing research carried out by Ecosystm, Woerndle said that over half of respondents of a survey identified security as the top challenge to cloud adoption.
Customer data represents a significant opportunity to innovate and grow. Research we conducted for HP in 2018 found that:
- 49% of Australian small-to-medium sized businesses (SMBs) claim access to customers’ personal information is essential to their day-to-day business operations
- 60% said it helped them to deliver more personalised customer services and ultimately grow their business
Woerndle said that security was considered the number one risk both in Australia and globally, but was slightly higher in Australia.
Richard Stiennon, Chief Research Analyst and Founder of IT-Harvest, agreed that the early reluctance to adopt the cloud has been due to security fears.
“When I interviewed 16 CIOs and CISOs for my book, they all had the exact same reservations when they starting moving down their cloud journey,” he said.
Stiennon said that many companies, such as General Electric, started their digital transformations roughly 10 years ago, or immediately after the Global Financial Crisis.
“They needed to cut costs and they saw the cloud as a way to do that,” he said. “And their first question is always about security.”
An outdated view
However, Stiennon also concurred that the security concerns regarding large public cloud providers may be outdated.
He gave the example of some consulting he’d done for a large bank which, like many banks, still had its own data centres.
The bank had checked everything from a traditional internet perspective and it looked good, but when they did a physical inspection, they found a modem connected to a CCTV which was a major vulnerability.
“When you maintain your own data centre you turn into your own security firm,” he said. “But if you are relying on Azure and you send somebody off to Microsoft for a tour, they’ll come away amazed at the level of security.”
The old weakness becomes a strength
Speaking at the ASEAN Public Sector Summit hosted by AWS in Singapore this month, AWS VP of Worldwide Public Sector Teresa Clarkson said there is an ongoing shift in the other direction.
“In fact, I hear more people now telling me that they move to cloud now because of security,” she said. “I used to hear ‘I can’t move to cloud because of security’; now it’s really the top reason.”
As a case in point, AWS provides more than 200 security and compliance-related services, according to Vincent Quah, Regional Head of Education, Research, Healthcare and Not-for-Profit for AWS Asia Pacific and Japan.
“Security is our number-one job,” he said. “AWS is an online cloud service provider. That is our only business. So for us, it is incumbent that we provide the best security capabilities to our customers, to secure their data and to secure their AWS environment.
Security as a ‘shared responsibility’
Like most major cloud providers, AWS operates on what is known as the 'shared responsibility' model, when it comes to security.
What this means is that AWS is responsible for all the infrastructure – the hardware, software, and networking, and data centres - that run AWS cloud services. This is commonly called “security of the cloud.”
The customer on that other hand is responsible for what is known as “security in the cloud”.
“Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions,” AWS says. The chart below shows the differentiation of responsibility:
AWS: Shared responsibility chart. Source: Amazon
Azure takes a similar approach, but depicts responsibilities according to the type of deployment being used by the customer:
Azure: Shared responsibility chart. Source: Microsoft.
An area of concern for the Australian Government
In its Australia’s 2020 Cyber Security Strategy discussion paper published this year, the Australian Government acknowledged how cybersecurity concerns may be impacting innovation.
The Government said that despite making strong progress against its goals set in 2016, it believes the threat environment has changed significantly, and that new approaches must be adopted to improve security.
"[T]here is always a balance Government must strike – obligations that are unclear or onerous can discourage innovation and reduce our international competitiveness,” the Government said. “On the other hand, the rules that protect and support Australians should keep pace with the extreme rate of technological change in rapidly evolving sectors of the economy.”
The Victorian Government migrates to the cloud with Zscaler
This is not to say that digital transformations in Australia have ground to a halt.
Cenitex, the Victorian Government’s information and communications technology shared services provider, announced last week that it has adopted Zscaler’s cloud platform to secure its IT services for more than 36,000 Victorian public servants across 450 offices in Victoria.
Zscaler’s solution is boosting Cenitex’s efforts to transform itself into a cloud-first organisation, improving the resilience, reliability, responsiveness, scalability, and security of its core networking and hosting infrastructure.
Director of Digital Transformation at Cenitex Nav Pillai, who also attended the lunch event, said in a statement that Zscaler has been a game change in the way Cenitex can deliver services to its users.
“Rather than deploying cloud security from legacy firewall vendors, we chose Zscaler’s cloud-based platform to protect corporate-issued devices wherever they are connected to the internet and give us near-instant scalability capability to support new users,” he said.
Australia’s “skill gap”
The Australian Government said in its paper that it continues to receive feedback about a cybersecurity skills gap in Australia.
“AustCyber estimates that there were 2,300 fewer skilled cyber security professionals than required in Australia in 2018. Up to an additional 17,600 will be needed by 2026,” the Government said.
Solving this problem may involve new training systems to meet the needs of the cyber security sector and the establishment of more formal qualifications for cybersecurity jobs.
Another issue identified by the Government is the lack of cybersecurity insurance uptake in Australia, which it said is due to a lack of product and a relatively immature marketplace with poorly defined terms of coverage.
“Difficulties in quantifying the risks and potential losses from future cyber incidents could be a barrier to growth in this area,” the Government said.
Data Security Checklist
Steve Nuttall, our head of CX research said that "CX leaders and marketers need to take a more mature approach to data governance and get a better handle on modern data security." To help prepare the foundations on which innovation can thrive, consider the following:
- Find ways to empower customers to take control of and manage their data
- Figure out what data needs protecting and why
- Familiarise yourself with the privacy obligations under the Australian Notifiable Data Breaches (NDB) scheme
- Ensure your privacy and security plans are fit for a multi-channel environment
- Integrate your data security and Identity Access Management (IAM) technologies