When Officeworks stores across Australia started running out of computer monitors and ethernet cables in March this year, it was a sure sign that Australia’s pandemic-necessitated exodus from the office to working from home was in full flight.
Across the nation, workers, executives and tech staff scrambled to grab what IT kit they could to ride-out new distancing requirements and still perform their jobs.
Overnight, once ‘optional’ resources for workers like remote system access, VPNs, collaboration and group-work tools – not to mention plenty of hasty cloud migrations of enterprise software – became the norm in days and weeks, not months or years.
But there was a threat looming, it was a big one, and it was real.
As nations across the globe pivoted to enable people to work from anywhere – often via consumer-grade networks –thieves, hackers and so called state-based cyber actors immediately mobilised to find and exploit the new holes and malicious opportunities proliferating before them.
Threats just got real
In late June, Prime Minister Scott Morrison went public with what many in cyber and national security circles had quietly been tracking (and repelling) for months: unprecedented and military-industrial-scale cyber assaults across multiple sectors.
“Australian organisations are currently being targeted by a sophisticated state-based cyber actor,” Morrison cautioned at a surprise press conference.
All aboard secure cloud? Mind the gap
Cloud security was on the hop – and the hop is a big one.
Fortunately, industry is stepping-up to the task with plain English technical and educational resources to enable stakeholders to safely navigate the new cloud security landscape.
A new landmark study of 750 key government and enterprise cybersecurity and IT executives has found that while organisations large and small are rapidly transforming their operations through embracing cloud computing at scale, effective risk management and security are not yet keeping up.
The finding is part of a pertinent and comprehensive analysis in the recently released Oracle and KPMG Cloud Threat Report. It’s also a serious wake-up call for public sector leaders because it reveals solid cybersecurity and risk management isn’t yet moving as quickly as the shift to a cloud-first footing.
A commonplace assumption is that cloud is more secure by default: it should be and can be, but people from the top down need to make this persistently happen across organisations rather than treating it as a compliance issue simply fixed with a procurement whitelist.
Shift from compliance to responsible resilience
A key challenge for public sector organisations now rapidly transforming operations and delivery to a digital footing is how and where responsibilities fall for cloud instances, and their various flavours.
The evidence, collected across North America, Western Europe, Australia, Japan and Singapore at the beginning of 2020 and goes to the heart of what public sector agencies and critical infrastructure operators – think banks, transport and utilities – need to do to secure digital operations.
Managing and controlling the increasing complexity of various cloud-based instances and services is cited as a key concern and challenge. While 88% of organisations in the report currently use public cloud infrastructure, 67% indicated they found the model of “shared responsibility”, on which much cloud security practice is founded, confusing.
“The terms ‘hybrid cloud’ and ‘multi-cloud’ continue to foster confusion, yet, for most organisations hybrid, multi-cloud environments are, in fact, the complexion of the modern data centre,” the Oracle and KPMG Cloud Threat Report observes.
Cutting through complexity
That confusion is amplified by many organisations being required to retain direct sovereign and physical control over some data and applications, but also pursuing the cost, efficiency and productivity advantages of public cloud.
A key area of concern is around business critical applications like ERP, customer relations and management, financials, HR systems and other systems of record. These are now all in the process of a “lift and shift” or preferably a “move and improve” to the cloud, whether by instigation of the user or the vendor… or both.
Participants in the Oracle and KPMG Cloud Threat Report said just over a third of their business-critical applications will be migrated to the cloud “as-is” over the next 24 months – an immediate and urgent reason for public sector leaders to obtain clarity on their organisation’s cloud security.
Navigating Australia’s new cloud rules
A major recent cloud security change for Australian government agencies, especially at the federal level, has been the shift from buying cloud from a pre-approved supplier list, to agencies using security vetted assessors under the Australian Signals Directorate’s Information Security Registered Assessors Program (IRAP).
For agencies this means being able to take advantage of in-country sovereign cloud offers from secure applications vendors, like Oracle, on infrastructure with military-grade cybersecurity architecture and decades of defence-in-depth acumen built-in from the outset.
Released in July, the new guidance from the Australian Cyber Security Centre works by not only allowing agencies to seek ASD-grade suitability assessments for their proposed cloud deployments, but also makes agencies responsible for ensuring systems continue to stay secure.
It’s a long-awaited opportunity for agencies to realise the huge efficiency uplift properly secured cloud-based services can deliver, but it also means executives from outside IT, corporate services and security branches need to buy into a whole-of-agency security culture and educate themselves.
Clear guidance and resources are at hand
The good news is that accessible, jargon busting resources that demystify evolving cloud security concepts with pertinent and credible evidence, like the Oracle and KPMG Cloud Threat Report are now available.
A key challenge for agencies that the report addresses is how to pragmatically and persistently embed cybersecurity into innovative organisational operating modes and newer ways of working, like Agile or DevOps.
In simple terms, the fact that cloud facilitates a much faster “conveyor belt” for the way software and systems are developed and integrated means that security needs to be integrated within the very culture of development – rather than being checked at the end.
Dubbed ‘DevSecOps’, the persistent application of security principles from the design stage up, is in part being driven by the opportunity to automate and apply machine learning so that cloud security safeguards are rapidly deployable and highly effective – a vital posture when attackers use similar industrialised capabilities.
The Oracle and KPMG Cloud Threat Report found that 40 percent of participants felt DevSecOps fostered higher levels of collaboration between organisational stakeholders and allowed them to “gain greater operational efficiency”.
That’s a positive sign that cybersecurity cloud is coming together to augment productivity and efficiency, rather than slowing agencies down.
To find out how, download your free copy of the Oracle and KPMG Cloud Threat Report today.