Mastering cloud security resilience to battle the unknown

By Hiyal Biyagamage

The cloud has revolutionised the way businesses operate, providing unprecedented flexibility, scalability, and accessibility to data and applications. However, this digital transformation has also intensified the need for robust cloud security. Ensuring resilience in the cloud is imperative, as organisations entrust their sensitive data and critical systems to this dynamic environment.

Session 2 of the Daily FT-CICRA Cyber Security Summit, which was titled ‘Ensuring resilience in the cloud: Strategies and best practices for robust cloud security’, explored the significance of cloud security, the challenges it presents, and the strategies and best practices to establish a robust security posture in the cloud.

Understanding the importance of cybersecurity

Addressing the gathering as the keynote speaker, Huawei Cloud APAC Director, Public Sector Roy Chen Qi, discussed extensively about Huawei’s cloud security strategy. He mentioned that as a leading provider of ICT technologies and solutions worldwide, Huawei fully understands the importance of cybersecurity and cloud security to Governments and customers around the world, their deep concerns regarding these areas, and the close attention that must be paid to them by Government bodies and technology companies alike.

“The cloud era has brought with it an endless variety of new security challenges, pervasive threats, and persistent attacks. Huawei is increasingly cognizant of these security concerns and attaches high priority, through heavy investment to technological competency, regulatory compliance, and ecosystem growth in cyber and cloud security. Furthermore, we have adopted practical and effective measures to continue accelerating our R&D in cloud security technologies and services, not only raising the security posture of our cloud products and services but also improving our cloud security compliance and ecosystem.”

“We are committed to establishing mutual trust with stakeholders and helping our cloud customers manage their cloud security risks. Huawei asserts that the establishment of an open, transparent cloud security solution framework will be instrumental to sustainable progress across the entire cloud service industry, and especially to the promotion of cloud technology innovation,” said Chen Qi.

According to Chen Qi, cybersecurity and privacy protection are Huawei’s top priorities. Furthermore, Huawei Cloud had made a cybersecurity commitment, committing to take data protection as its core, technological security capabilities as its foundations, compliance with applicable cybersecurity laws, regulations, and industry standards as its castle walls and the wider security ecosystem as its moat.

“Leveraging Huawei’s unique software and hardware advantages, Huawei Cloud shall establish and maintain industry leadership and competitiveness with well-managed cloud security infrastructure and services to protect Huawei Cloud services across regions and industries. This commitment will serve as one of Huawei Cloud’s key development strategies. Huawei Cloud not only leverages and adopts best security practices from throughout the industry but also complies with all applicable country and regional-specific security policies and regulations as well as international cybersecurity and cloud security standards, which forms our security baseline. 

Moreover, Huawei Cloud continues to build and mature in areas such as our security-related organisation, processes, and standards, as well as personnel management, technical capabilities, compliance, and ecosystem construction in order to provide highly trustworthy and sustainable security infrastructure and services to our customers. We will also openly and transparently tackle cloud security challenges standing shoulder-to-shoulder with our customers and partners as well as relevant governments in order to meet all the security requirements of our cloud users.”

Cybersecurity is a shared responsibility

During his speech, Chen Qi said security and compliance is a shared responsibility between Huawei Cloud and customers. That is, Huawei Cloud is responsible for the security compliance of cloud services, and you assume the responsibilities of the service security and compliance inside your organisation.

“Huawei Cloud’s security responsibilities include ensuring the security of our IaaS, PaaS, and SaaS services, as well as the physical environments of the Huawei Cloud data centres where our IaaS, PaaS, and SaaS services operate. Huawei Cloud is responsible for not only the security functions and performance of our infrastructure, cloud services, and technologies, but also for the overall cloud O&M security and, in the broader sense, the security compliance of our infrastructure and services.”

“Huawei Cloud customers are responsible for security inside the IaaS, PaaS, and SaaS cloud services they have access to, particularly for the secure and effective management of any cloud service configurations they have customised,” Chen Qi commented.

Speaking further on this, Chen Qi said, “Cybersecurity is a multifaceted endeavour. The cloud service provider and the customer each bring their expertise and resources to the table. By collaborating and sharing responsibilities, a more comprehensive and holistic security approach can be achieved. This is especially important in the face of evolving threats and attack vectors.”

“The cybersecurity landscape is dynamic, with new threats emerging regularly. Shared responsibility allows both parties to adapt quickly to changing conditions. The cloud service provider can update and fortify the infrastructure, while the customer can implement new security measures to protect their specific workloads. Additionally, both parties are accountable for their respective responsibilities. This accountability promotes transparency and ensures that security measures are implemented and maintained effectively. In the event of a security incident, it is clear which party is responsible for addressing the issue,” said Chen Qi.

A resilient cloud strategy

As the guest speaker of session 2, Google Cloud Security Regional Lead Anubhav Wahie said the cloud has become a fundamental component of the modern business landscape. While the cloud offers numerous advantages, Wahie said its significance is underscored by the sensitive data and mission-critical applications that it hosts. The loss, compromise, or unavailability of these resources can have severe consequences, ranging from financial losses and legal repercussions to reputational damage.

“The dynamic nature of the cloud, with its constant evolution and the proliferation of cyber threats, underscores the need for robust cloud security. Security breaches, data leaks, and cyberattacks have become all too common, making it essential for organisations to implement effective security measures in the cloud environment. Cloud security encompasses a wide range of activities, from data encryption and access controls to threat detection and incident response. By establishing a resilient cloud security strategy, organisations can safeguard their digital assets and mitigate the risks associated with the cloud,” said Wahie.

Ensuring resilience in the cloud presents organisations with a set of formidable challenges. Wahie took the participants through some key obstacles when it comes to ensuring cloud resilience.

“Firstly, the complexity of the cloud environment is a prominent obstacle. It involves a vast array of services, multiple providers, and intricate configurations, making the task of managing security across this multifaceted landscape a daunting one. Secondly, compliance is a critical challenge. Organisations must navigate various regulatory standards and compliance requirements to ensure that their cloud services align with these intricate and evolving standards.”

“Another set of challenges revolves around data protection and the evolving threat landscape. Sensitive data stored in the cloud must be safeguarded against unauthorised access, both in transit and at rest. While encryption and access controls are essential, implementing them correctly can be a complex endeavour. Additionally, the cloud is a highly attractive target for cybercriminals, and organisations must remain vigilant in the face of a constantly evolving threat landscape, which includes challenges like Distributed Denial of Service (DDoS) attacks and data breaches,” said Wahie. In conclusion, Wahie said that establishing a robust security posture in the cloud involves a set of crucial strategies and best practices.

“A comprehensive risk assessment is the foundation, allowing organisations to identify and prioritise potential threats and vulnerabilities specific to their cloud environment. This forms the basis for informed security decisions. Data encryption is paramount, with data protection required both at rest and in transit. Implementing strong encryption protocols and effective key management practices helps safeguard sensitive information.”

“Aligning cloud security practices with relevant compliance requirements and staying updated on regulatory changes is also essential. Continuous security monitoring and the implementation of robust threat detection and incident response capabilities will ensure timely identification and mitigation of security issues. Most importantly, developing and enforcing specific security policies for the cloud environment, conducting third-party assessments for external cloud providers, and collaborating with cloud providers and industry peers for threat awareness and best practices complete the comprehensive approach to achieving robust cloud security.” “Challenges in cloud security, such as complexity, compliance, data protection, and the evolving threat landscape, necessitate a strategic approach. By adopting robust strategies and best practices, organisations can establish a resilient cloud security posture, protecting their digital assets and adapting to the ever-changing landscape of cloud technology. In the age of digital transformation, robust cloud security is not just a defensive measure; it is a strategic enabler for modern businesses,” concluded Wahie.

The two speeches were followed by a panel discussion moderated by ISC2 Colombo Chapter President Sujit Christy alongside, Roy Chen Qi and Anubhav Wahie, NCINGA Chief Information Security Officer Aruna Malalasena, CBL CIO/Chief Architect Keshan Dayaratne and Visa Sri Lanka and Maldives Country Manager Avanthi Colombage shared their key insights during the panel discussion.

Strategic partners of the summit were Visa and Huawei. The official Payment Network was LankaPay, official finance company partner was People’s Leasing and Finance PLC, knowledge partners were PCI Security Standards Council and ISC2 Chapter Sri Lanka, creative partner was Mullenlowe and hospitality partner Cinnamon Grand. 

– Pix by Upul Abayasekara and Ruwan Walpola