8 megatrends in cloud security and their impact on organizational cyber risk: risk and insurance

A session at RIMS discussed 8 cloud software megatrends and how they relate to an organization’s cyber risk.

Many companies and organizations have become very familiar with the use of “cloud” software, which allows its users to store their data in an offsite promoter. While cloud implementation has become widely known, risk managers are still hesitant to fully embrace its capabilities for two main reasons:

  • The cloud forces risk managers to trust a third-party entity.
  • Organizations still struggle to understand the true extent of cyber risk.

Many risk managers are still familiar with on-premises data infrastructure because that is simply all they have experienced. But cloud data infrastructure offers its users more security than on-premises capabilities.

Despite the concern of risk managers to fully adopt cloud software, these programs have been, and will continue to be, a critical point for how organizations operate in the cyber landscape. And because the cloud and its technology are constantly evolving, it’s essential for stakeholders to identify and understand current trends regarding the software, including its potential benefits and risks.

Fortunately, a session at the 2022 RIMS conference in San Francisco did just that. The session, “Cloud Computing and Cloud Security Risks,” brought together three Google employees to discuss everything there is to know about the cloud.

Speakers included Monica Shokrai, Head of Business Risk and Insurance, Google Cloud, Kathryn Shih, Security Group Project Manager for Google Cloud, and Gerald Cowen, Sales Manager for Google’s Risk Protection Program.

The session focused on 8 cloud security megatrends and their importance in organizational cyber risk.

Cloud Security Megatrends

1) Economies of scale

A decrease in the standard cost of security features will result in an increase in the base security level or overall security performance.

Shih said: “[The cloud] is an example of a high fixed cost problem, finding the procedures to ensure availability or that [operations] are properly maintained, [and that is] expensive and time consuming. But once you have these procedures, it’s usually not as difficult to adapt them to additional infrastructure.

She continued, “By moving to the cloud, customers are able to move that high cost provider who can then spread that high cost across many customers with favorable unit economics. It’s just a class of problems that ceases to be a problem for the individual customer.

2) Healthy competition

As the cloud becomes a more streamlined tool for businesses and enterprises, it’s only natural that various vendors will want to offer the cutting-edge technologies in this space. This healthy competition has allowed the cloud technology industry to be at the forefront of innovation, which allows the cyber insurance industry to constantly spot bad actors looking to infiltrate organizations.

3) Software-defined infrastructure

Because cloud technology is software-defined infrastructure, it doesn’t require humans to manually manage software or “deal with administrative tasks,” according to the session. This not only allows for more transparent configuration, but security preferences are established by code, so a user simply needs to verify the effectiveness of security.

This infrastructure is certainly useful in the scenario of discovering a vulnerability within a system and deploying the necessary resources to correct it.

Shokrai said, “We no longer have that on-premises software environment where when a bug is found, there’s a lag between finding that bug and getting the fix for that bug out.”

Overall, the software-defined component transfers much of the responsibility to the cloud infrastructure, making the job of a cyber risk manager more efficient.

4) Simplicity

Although cloud technology may seem complex to those familiar only with on-premises software, the cloud can not only “identify, create, and deploy simpler default modes of operation”, but these modes of operation then operate “from securely and automatically”, depending on the session. .

The simplicity of cloud technology allows organizations’ cyber risk mitigation efforts to work smarter, not harder.

5) Shared Destiny

What is Shared Destiny and how does it relate to the cloud? To talk about shared destiny, it is important to understand the term “shared responsibility”. Cowen explained, “Shared responsibility starts with this concept: the cloud provider provides the security of the cloud and the client, or application, will provide security in the cloud.” It serves as a symbiotic relationship where one cannot survive without the other.

Shared Destiny is a transition and step forward from Shared Responsibility, which places continued trust in cloud software and healthy pressure to improve security on the vendor side.

6) The cloud as a digital immune system

According to the session, since cloud providers can provide hyper-specific mitigation efforts for each organization’s needs, “every security update the cloud delivers to the customer is informed of a threat, a vulnerability or a new attack technique”.

Like an immune system, cloud software remembers attack methods or techniques that were used to cause disease and attempt a breach.

7) Increase deployment speed

Cloud software works differently than on-premises infrastructure in that it is much more efficient in almost every aspect. In this trend, the cloud’s ability to automate software and system updates, particularly through the use of automated continuous integration/continuous deployment (CI/CD), allows organizations to receive more security sweeps. frequent.

8) Sovereignty meets sustainability

Cowen noted that while sovereignty and sustainability are associated in this trend, they exist as two separate entities.

The sovereignty component is particularly important because it allows organizations to have more power when it comes to their cloud capabilities.

Cowen said, “The beauty of the cloud is that when you have a data center in a region that allows [an organization] To meet these third-party requirements, organizations can now specify the policy, where you can create policies that will only allow users to build infrastructure in these locations.

He continued: “While this may not have been an obvious concern before, [the cloud] lets now [organizations] to meet internal and external obligations to help identify where [data] is.” &

Emma Brenner is an editor at Risk & Insurance. She can be reached at [email protected]

Aubrey L. Morgan