Modern Security, Cloud and the importance in any security program.

Perimeter defence strategies have been a common term in the cyber security workplace for some time.   Do we consider this widely adopted approach out of touch for the modern information security program? 

With Organisations making use of technology productivity services, ways of doing business and infrastructure that is highly interconnected, just as the workforce who consume the services are, is the cyber program missing a considerable area of risk?  There is opportunity to provide real value of effectiveness by driving a cloud first security approach, protecting cloud assets and SaaS solutions, more importantly, the valuable data & information that’s entrusted to these services.

We are ever moving to a world where more and more workloads are moved into cloud and interlinked with on premise systems with many upstream/ downstream dependencies.  

It’s within reasonable understanding that as the rush towards AWS, GCP & Azure and their IaaS offerings took place and as technology vendors of SaaS & PaaS solutions generally entering en masse into the technology portfolio of most organisations, they are potentially less secure than what is assumed, or at least difficult to maintain visibility of.  Determining when Data exfiltration takes place from a single source is also a challenge due to non tried and tested build, deployment & scaling!  Data centre infrastructure has been around for a long time so it should be no surprise and not without previous efforts to secure those workloads.  

This makes way for the importance of business relationships in being able to move identified, potentially risky with weak controls or even compromised technology as a priority to a more strategic infrastructure service rather than a wide scale protection or uplift in cyber security presence across an in situ service offering.  

Of course there are many variables to consider such as cyber funding or investment, awareness, scale, complexity and even the important ability to obtain executive sponsorship for a change in culture.  However, should we be capturing and understanding our organisations appetite for risk for any systems built in the past and focus on protecting the future?  

Are we assuming too much responsibility and protection of our valuable information on the technology vendors?  We know of the shared security models within CSP’s, although the recent pandemic has reinforced to us that protecting assets when the arena and its audience is no longer static is a challenge.