Building trust in Hybrid Cloud - Cybersecurity - Microsoft
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity Building trust in Hybrid Cloud
Contents
03 The Cloud security challenge
04 Get off of my cloud!
05 Responding to the threat
06 Cybersecurity goes hybrid
10 Cloud security in action
11 Creating value with a secure hybrid cloud
12 The Atos advantage
13 Rising to the next challenges
14 A hybrid cloud security checklist
02The Cloud security challenge
The Cloud is a key enabler of digital transformation. It is transforming
business, organizations and government, enabling new levels of speed,
agility and focus. At the same time, cloud computing has spawned
an alarming range of new security threats. These threats require new
thinking from business leaders and even traditional IT professionals.
Migrating your business to cloud services As companies move towards a hybrid Cloud computing security is no longer just an
can deliver significant cost and efficiency cloud environment, mixing on-premise IT issue. It is a strategic boardroom concern,
gains for organizations of all sizes. Cloud infrastructure with multiple cloud providers with major consequences for shareholder
enables enterprises to reinvent their business and ‘shadow IT’, their traditional defenses value and corporate reputation. Because of
models, forge better relationships with may be overwhelmed. Because of the always-on nature of cloud computing,
customers, take significant costs out of their heightened security concerns and the fear security breaches can have long-lasting
operations and get successful innovations to of the unknown, some organizations are not impacts on how a company is perceived
market ahead of the competition. benefitting fully from the power of cloud and on how it is valued by the market. If the
computing. C-Suite ignores cloud security at its peril.
Whether as Software-as-a-Service (SaaS),
Platform-as-a-Service (PaaS), Infrastructure- While the major cloud service providers New technologies and strategic thinking can
as-a-Service (IaaS) or the latest trends in are experts at ensuring the security of counter today’s security threats and secure
Container-as-a-Service (CaaS) and Function- the Cloud, security inside the Cloud is the hybrid enterprise. With the right security
as-a-Service (FaaS), cloud continues to evolve largely the responsibility of the customer. policies, processes and partners, businesses
and provide organizations with the agility To make sure that they can manage these can defend themselves against attack and
they need for today’s fast-paced digital world. new responsibilities, enterprises need to maximize the value of their investment in the
transform their security organization, policies, Cloud.
As well as multiplying opportunities, cloud processes and controls. They will also have
computing can also multiply risks. The rise to adopt new technologies and change their
of cloud has led to a new breed of security processes to adapt to this new world.
vulnerabilities and amplified existing ones.
million
of 4 million publicly available Docker Hub Americans and Canadian personal data were of companies surveyed in a US reasearch study
container images had critical vulnerabilities1 leaked in a Capital One data breach, which by IDC have experienced at least one cloud
resulted in a $80 million settlement to the data breach in the past 18 months3
Office of the Comptroller of the Currency2
A hole in the S3 bucket “Hybrid clouds are often the starting point for
According to the Cloud Security Alliance, data organizations in their cloud journey. However,
breaches are the single most critical issue for
cloud security. Many of these breaches are any cloud model consists of risks, threats, and
the result of a simple misconfiguration by
customers of their security inside the Cloud.
vulnerabilities. [....] The selection of a suitable hybrid
With a hybrid cloud security enforcement cloud solution is an urgent problem for users from
and monitoring program, these mistakes can
be quickly identified and corrected. a security and compliance perspective.”
Mitigating Hybrid Clouds Risks report, October 2020, CSA
1
Prevasio, Operation Red Kangaroo, 2020
2
Office of the Comptroller of the Currency
The OCC fined Capital One as the bank did not establish effective risk assessment
processes before the migration of several technology operations to public cloud
3
IDC Cloud Security survey highlights, 2020
Building trust in Hybrid Cloud 03Get off of my cloud!
Make no mistake. Securing the Cloud is more complex than you think. But
a carefully considered cloud strategy can deliver comprehensive security
while stimulating business and digital innovation.
As organizational data moves beyond the traditional perimeter, cloud In this new environment, the native security features of the cloud
computing has expanded the attack surface. Using Cloud services, provider can only ever be a start. Gartner has estimated that through
companies will be sharing a platform with other organizations and 2025, 99% of cloud security failures will be the customer’s fault.4
potentially with criminal agents intent on harm. While the cloud service provider can focus on the security of the
Cloud, it must be the responsibility of the customer to ensure security
To counter this threat, leading Cloud services companies offer their inside the Cloud.
customers a common defense against attack. They will monitor cloud
services and look out for any anomalies or cause for concern. To achieve this, they will need not only transform technologies but
also policies on risks, responsibilities and data ownership. Atos works
However, in a complex, multi-cloud world these systems are not with customers around the world to evolve towards this framework,
enough to secure a company’s environment. adding a sophisticated layer of trust, control and monitoring that
covers all the complexities of the multi-cloud world.
is the average cost of a data breach caused by system of organizations surveyed by McAfee had tracked a malware infection
glitches or human error.5 back to a cloud application6
Security in cloud computing is based on a shared responsibility model. Depending on the model, be it IaaS, PaaS or SaaS, while the cloud
service provider has responsibilities for the security of infrastructure, physical network and often also the operating system and application, it is
the customer’s responsibility to manage elements including user access, identity and the data itself.
Data is always under customer responsability The Egregious 11
The Cloud Security Alliance (CSA) has
identified the following 11 major security
threats to cloud computing:
Security Customer data (in use / at rest / in transit), IAM config 1. Data breaches
Customer
in the Cloud 2. Misconfiguration and Inadequate
SAAS Platform, applications, IAM infrastructure Change Control
3. Lack of Cloud Security Architecture
PAAS Operating system, network & firewall configuration and Strategy
4. Insufficient Identity, Credential, Access
Security IAAS Compute Storage Database Networking and Key Mgmt
provider
of the Cloud
Cloud
Regions 5. Account hijacking
Edge 6. Insider Threat
Data centers locations 7. Insecure Interfaces and APIs
8. Weak Control Plane
9. Metastructure and Applistructure
Public Cloud Security - A Shared responsibility / A Trust relationship Failures
10. Limited Cloud Usage Visibility
11. Abuse and Nefarious Use of Cloud
Services
4
https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
5
https://www.ibm.com/security/data-breach
6
McAfee Navigating a Cloudy Sky” report
04Responding to the threat
When an organization migrates their business to the Cloud, it will have to
assume new responsibilities and develop and adapt their processes and
procedures to counter diverse and unfamiliar threats.
The as a Service models offer an increasing The cloud provider will have to handle the Still, only 16% state that they store no
range of solutions tailored to the company’s security of the applications in the cloud and sensitive data at all on the cloud7.
business, giving them the flexibility to choose the security of the cloud itself.
what they want. Depending on the model As they focus their resources on this latest
chosen, the shared responsibility for the Empirical data suggest that many companies threat, enterprises are devoting increasing
security of and in the cloud will vary. For are finding it difficult to rise to this challenge. proportions of their IT security budgets to
instance, in an on-premise model, everything According to a survey by McAfee of 1,400 IT cloud security. From 5.6 billion USD in 2018,
is on the customer responsibility from the decision makers around the world, 28% of the amount of spend allocated to cloud
cloud infrastructure to the data, whereas in organizations do not feel they have complete security is expected to more than double to
a SaaS model only user access and data are control over who can access sensitive data 12.7 billion USD by 20238.
concerned. when using IaaS, 25% for SaaS and 18% for
private cloud.
Threats Impacts
Leaky buckets
Shadow IT Loss of IP
AWS S3
Loss of customer trust
Supply chain APT
Degraded brand image
Target breach Weak ID
Violation of regulations
Insecure API’s Data loss
Data loss Financial cost
Unsanctioned Cloud DDOS
Business continuity disruption
Cross workload attacks Serverless attacks
Orchestration attacks Cross Cloud attacks
Unsecure infrastructure as Unsecure registries (Docker
a code templates Hub Container Images, GitHub...)
“Our breach is their
breach, and their
Along with technological innovation and cultural change, it is the growing maturity of the shared
responsibility model that will increase confidence in cloud security and help organizations reap the breach is our breach.”
full benefits of cloud computing.
CISO of large entertainment company, cited
To address the cloud security challenges, at Atos, we propose an approach in 3 steps: assess, in McAfee, Navigating a Cloudy Sky
protect, detect & respond.
Assess
To protect you must
first identify the ‘what’,
“The top four frequent
Detect & respond
To preserve a secure
the associated risks application and/or
and the use case
state it is crucial to requirements web server attacks
ensure the real-time
detection of security organizations reported
elements and have
the capability to
Protect are DoS (89%), SQL or
automate a response
To maintain
confidentiality, other injections (85%),
integrity and
availability security
API manipulations (84%)
controls must be and Bot attacks (82%)”
integrated into procesess
and dynamically updated to Radware 2020-2021 The State of Web
ensure their effectiveness Application and API Protection
Cloud Security - An Integrated and Continuous Approach
7
McAfee Navigating a Cloudy Sky” report
8
Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global).
Building trust in Hybrid Cloud 05Cybersecurity goes hybrid
In today’s hybrid, multi-cloud environment, it is imperative that
enterprises integrate all their security controls into one overall security
posture. Only with a robust approach to cybersecurity, protecting data
that is shared across both public and private clouds, can the benefits of
cloud be maximized.
The native security controls of cloud providers are useful, but they Gartner has said that in this new world, companies must change their
have their limits. They cannot protect you against the risks posed line of questioning from “Is the cloud secure?” to “Am I using the cloud
by employees using shadow IT. Nor do they manage the security of securely?”
an organization’s on-premises servers and infrastructure. And they
cannot manage the security of an organization’s owned workloads Atos has built a secure hybrid cloud platform for these complex new
inside the cloud, whether they are virtual machines, containers or ecosystems, answering these questions and adding an additional
applications. layer of security controls that covers both cloud computing and
traditional environments.
Threat 24x7 Global Security Computer Emergency
Atos MDR
Intelligence & Hunting Operations Centre Response Team (CERT)
Managed Detection and Response AIsaac
Security Cloud Workload Container Managed Cloud Provider Cloud Cloud App
for Digital Access Protection Security Security Services Encryption IAM Security
Workplace Security Testing
Broker
Cloud Security
Services
I want to secure I want to have
my modern visibility and I want to secure my data centre in I want to utilise the native security I want to retain control of who I want to
workplace but control of SaaS the cloud without impacting the controls from my CSP and build a has access to my data, where it’s ensure my dev
also leverage services both agility cloud brings roadmap together located and be the only custodian ops pipeline is
native controls sanctioned and to my keys secure
unsanctioned
What are my cloud risks today? Cloud Security Posture Management Am I still compliant?
“The key to application security in 2021 will rest on the ability of
app development and product teams balancing the need to secure
infrastructures while migrating apps to public clouds via automation
and governance.”
Radware 2020-2021 The State of Web Application and API Protection
06Cloud security maturity assessment
Before starting any Cloud project, the first step is to analyse the During this assessment, with its consulting experts in security and
current situation in order to have a full visibility on the existing status. Cloud, Atos will help you to get a cartography of your landscape, an
Observing and understanding will help to identify where sensitive data initial risk evaluation and a maturity assessment. This will then be the
is stored, what is the scope of shadow IT, during this phase all external foundations to define the best strategy for your specific context.
regulations and internal constraints also have to be taken into account.
1. Baseline 2. Repeatable 3. Standardized 4. Managed 5. Dynamic
RISK GOVERNANCE
Cloud maturity model
Level 1 Level 2 Level 3 Level 4 Level 5
(Baseline) (Repeatable) (Standardized) (Managed) (Dynamic)
Lack of clear cloud use
Approved whitelist for Clearly defined policies
and data security policies Organization has begun Approved CSP list,
all CSP categories at aligned with business
and blocking known to define acceptance policies, and workflows
the department level. objectives, continuously
services without regard to criteria for selecting are updated quarterly
Clearly defined DLP updated with adherence
their risk profile, response cloud services and has by cloud governance
and encryption policies to strong process/
to incidents is incomplete a whitelist of approved committee using
with complete incident workflow and immediately
and slow with ad hoc cloud services feedback from business
workflows and roles incorporated feedback
process
360-degree visibility
In a multi-cloud world, it is essential for Companies are increasingly subscribing to Working with McAfee’s CASB across all
businesses to have visibility of exactly Cloud Access Security Broker (CASB) services cloud services, Atos helps customers see
what data is held in the Cloud and which which give them visibility and control of what data is being shared with third parties
applications employees are using to shadow IT. A CASB sits between users and via the Cloud so that they can take the
access this data. Increasing trust in cloud the services they are accessing for SaaS. It required action based on this insight. Using
computing will require not only a change allows organizations to extend the reach the CASB approach, we can automatically
in thinking but also the implementation of their security policies beyond their own categorize the risk level posed by each
of multiple technologies and processes. infrastructure and into the Cloud. and every SaaS cloud service provider
According to McAfee, today’s leading discovered.
methods for securing sanctioned The Atos CASB service gives enterprise
environments include: customers the ability to: Atos is a certified partner by McAfee
• data loss prevention (DLP) and • discover and remediate the risk from the Security Innovation Alliance (SIA) for
encryption use of shadow IT across the enterprise MVISION Cloud products: Trustway for
data protection and Evidian for access
• identity and access management • control and enforce data privacy and
management.
• regular audits of apps in use and compliance across shadow IT through the
assessments of potential risks sanctioning of cloud apps such Google
Atos’ expertise in McAfee’s CASB
Cloud Platform, Google Workplace, Office
• blocking access to the unauthorized technology enables companies to make
365, Box, Salesforce, and ServiceNow, and
cloud service hybrid cloud management and security a
IaaS platforms such as AWS and Azure
• migrating the shadow IT to an approved seamless experience that supports their
• protect enterprises’ data through persistent digital transformation.
and similar service
protection, wherever it moves within the
Cloud
• insert a frictionless security control point
between the enterprise user and cloud service
Building trust in Hybrid Cloud 07Complying with regulation Lock up your data
Compliance with both internal policies The process of encryption converts data Partnering with an end-to-end provider such
and industry regulation is a major driver of into code that conceals the data’s original as Atos adds a new layer of trust and security
demand for the new generation of cloud meaning to prevent it from being accessed, to cloud computing. While the data goes to
security services. understood or used. While cloud providers the Cloud, the ability to unlock it stays with
can deliver this service, the key to unlock the the client. As a result, only the customer
Across the world, new data regulations are data remains in their possession. can see their data. Furthermore, Atos can
coming into force. Non-compliance with the disable the download of corporate data from
GDPR (General Data Protection Regulation) Many customers would like to protect their the Cloud to unmanaged devices, protect
and the NIS (Network Infrastructure sensitive data from cloud service providers, sensitive data from being uploaded to cloud
Systems) directive in the EU, or the CLOUD where they may be vulnerable to the threat services, and use geofencing to determine
Act (Clarifying Lawful Overseas Use of of a brute force attack – a sustained attack the jurisdictions where sensitive data is
Data) in the US, can result in heavy fines that tries all possibilities, one by one, until it stored and managed.
for organizations as well as a dramatic is successful. The deployment of encryption
impact on reputation. Now more than ever, protects data from any form of access by
cloud security has become a vital business anyone apart from the customer.
requirement. With a holistic, hybrid approach,
an enterprise can assess its vulnerabilities,
implement the right controls, and ensure
continuous compliance across its operations.
Customer has no Cloud provider has no Keys never reach
control of the keys control of the keys Public Cloud
Hardware derived
Cloud HSM Customer HSM Atos HSM
keys (option)
Key Management
Default KMS Cloud KMS Customer KMS Atos KMS
System
Encryption 3rd party encryption
Tool Cloud Service Provider (CSP) encryption
Default Customer Bring your Atos Data
Solution Managed Managed own keys Sanctuary
encryption keys
Scope All data Internal data Sensitive data Secret data
Financial, IT R&D/IP, ViP,
Illustrative By default, Marketing docs, Legal, Export Data
use cases all data data Regulated control Geofencing
Data sovereignty & control
Only the authorized person can access the right resource at the right time
Successful encryption is based on a strong It makes it difficult to have a comprehensive Through identity provisioning, users are
IAM control in order to ensure the entitled visibility and management of each resources, allowed to access the applications needed
users have access to the decryption keys and increasing the risks faced by the organization. for their work, granting them a role with the
nobody else. appropriate authorizations. Finally, multi-
A cloud identity and access management factor authentication ensures a high-level of
Managing centrally who has access to solution helps handling the security policies security by confirming the user’s identity and
what and enforcing policies such as least required for each application. Federated adapting the level of authentication required
privilege is vital. One of the challenge set identity management connects identity to the level of risk posed.
by the migration to the cloud is that for management systems together: with single
each new service included in the cloud, the sign-on, a single user authentication is
more people will be provided with different enough to connect across many applications,
credentials and access policies. even when they have different authentication
protocols, eliminating the burden of entering
credentials every time.
08SOC it to the attackers
94% of organizations are moderately to Atos has a worldwide network of A hybrid SOC enables monitoring of
extremely concerned about cloud security7. SOCs worldwide providing end-to-end cloud services, IaaS, shadow IT and legacy
As data moves out of the data center and cybersecurity services and solutions to infrastructure, around the clock, 365 days a
into the cloud, mobile and SaaS environment, national and global clients across all sectors, year. Atos SOC also use Artificial Intelligence
a new cybersecurity approach is needed to 24x7. Those SOC are a secure facility which and Big Data analytics to help customers
address risks and threats in technologies and functions as the central hub for cybersecurity swiftly predict and thwart security threats.
assets that are no longer under the direct incident prevention, detection and response.
ownership or control of the organization.
Managed Cloud Provider M365 EDR Cloud Container Cloud Cloud Cloud App
Cloud App
M365 SASE
Secrets EDR for CASB Container
environment
SASE for CASB Security Cloud
Managed Cloud
Security Provider
Services Security Cloud Workload Security Encryption Cloud
IAMIAM Security
Security
Security Vault Cloud Encryption
Security Services Protection
Protection Testing
Testing
Cloud
Google
Google Web App Privileged
API Vuln. NextGen Cloud Sec.
Workspace API API
Security Vuln. NextGen µ/n
µ/n Protection
Web App Cloud Sec. Privileged
Access Mgt. Serverless
Serverless
Workspace Protection
Protection Mgt. vFirewall Posture Mgt.
Security Analytics Mgt. vFirewall Segment.
Segment Protection Posture Mgt. Access Mgt. Security
Security
Security
Security
SecurityAnalytics
Analytics
Security in
in the Cloud
Analytics in the Cloud Cloud Security
Cloud Security Automation
Automation&&Orchestration
Orchestration
Atos MDR
Threat intelligence
Intelligence
Threat hunting
Threat Hunting
Managed
Manageddetection
Detectionand
andresponse
Response AIsaac CERT&&24/7
CERT 24/7Global
GlobalSOC
SOCservices
services
environment
On Premise
Data
DataLoss
loss IAM & PAM Secure Web & Mail DDoS Mitigation Endpoint Protection
Endpoint Protection
Prevention IAM &services
PAM services Secure
Gateway Web & Mail
Services DDoS Mitigation
Services Services
Managed
ManagedOn on Premise
premise prevention Services
Servers & network Gateway Services Services
Security
security Services
services Vulnerability APT Detection
Vulnerability Servers & Network
devices FW &FW & Services
IPS IPS Encryption services
Encryption APT Detection&&
management
Management Devices Services Remediation
Remediation
Services
A new Cybersecurity paradigm - Adaptive, integrated and complete
Container security
With many businesses now placing With the ephemeral nature of Containers the
containers at the forefront of their cloud emphasis is in ensuring the images, templates This checklist can help you better
strategy the challenge for security does not and related artefacts are secured by design understand the challenges that containers
necessarily get any easier! With containers, and are continually evaluated for vulnerabilities can bring:
organization can unlock the true potential of or flaws, thus eliminating the need to ‘patch’ as • Have you extended your cybersecurity
cloud bringing greater flexibility, scalability you simply rebuild a new container from your strategy to protect your developer
and portability to name a few. trusted registries. environments?
• How are you securing service accounts
However, with that upside comes a number As a result of this ‘shift-left’ in security the
and other identities being used?
of new challenges and amplification of attack vectors also shift to areas such as the
old bad habits. To start with, our old friend Integrated Development Environments (IDE’s) • Are you discovering dependencies and
misconfiguration is as critical as ever in the end- as they become a more lucrative target for bad nested dependencies within your code
to-end processes associated with Containers actors by compromising the code, credentials, though security scanning?
such as CICD. Ensuring that misconfiguration builds to establish a persistent foothold. • Are your developers using public and
errors and/or vulnerabilities are addressed from untrusted container images?
the inception of a build through to the run state. • Are you signing your binaries to ensure
their integrity?
There are powerful benefits when DevOps and security teams agree on • Have you ensured least privilege across
how and where to incorporate security into the CI/CD pipeline: your orchestrator platform?
• Security is not a bolted-on afterthought. • Are you using analytics to better
understand the runtime behaviour of
• Security is treated as a “first-class citizen,” similar to other app your containers?
components such as implementation errors and software bugs. • Have you implemented appropriate
• Security testing and failures are identified early and addressed early controls to mitigate against application and
on – and more importantly, prior to application deployment, when API attacks?
changes are more costly9.
9
source: https://blog.paloaltonetworks.com/2020/10/cloud-add-security-cicd-pipeline/
Building trust in Hybrid Cloud 09Cloud security in action
The development of secure hybrid cloud services is transforming
business technology at an unprecedented pace. Whatever the main
security concerns of your organization, with the right technologies and
the right processes you can defuse the threat.
$£ Data
Privacy & Continuous €¥ Sovereignty
cybersecurity compliance & Control
Identify authorized use and scenarios Allow complete and real-time exhaustive Classify data and identify the most sensitive
for Cloud environments visibility of Cloud resources ones in terms of confidentiality and integrity
Implement activity monitoring on Control all incoming/outgoing data access to/
Enable in-depth control of most
cloud environments through detecting from Cloud (Shadow IT) between Clouds (lateral
sensitive data transit
compromised accesses / ressources movements)
Protect against unauthorized use of Ensure compliance by combining regulatory Protect most sensitive data from Cloud Service
Cloud resources aspects and security policy deployment Providers by controlling its encryption
Keep control of your Clod resources and
Leverage Artificial Intelligence to Dynamically identify security settings
encryption through strengthened authentication
anticipate attacks in Cloud environments and associated risk
and governance of identities and accesses
No blind spots
There can be no control without visibility. Only when a company has visibility across Although the forecast predicts
However, according to a recent report from all platforms can it implement consistent
McAfee, almost one third of organizations policies for its processes. slowing spend for all security
who use SaaS are experiencing difficulty in markets, CASB’s growth
getting a clear picture of what data is in their By implementing a hybrid security remains higher than any other
cloud applications. approach, an enterprise can uncover the information security market10.
usage of shadow IT by its employees. It can
The need to restore visibility and reassert understand exactly what content is flowing
ownership and control has become a major into and out of the cloud.
driver for hybrid cloud security solutions.
With real-time monitoring and analytics, It can also identify any unsanctioned
a business gains global visibility into the cloud services that are being used on the
consumption of IT resources inside and enterprise network and move quickly to close
outside the organization. any breaches of policies and regulations.
Defusing threats
By embracing the secure hybrid cloud, enterprises can achieve the levels of protection against threats that they need. For example, they can
protect data from inadvertent disclosure or unauthorized sharing and detect compromised accounts and threats from insiders. Organizations
can stop unwanted devices, users and versions of applications from accessing cloud services. A secure hybrid cloud can protect data that
belongs to a company’s intellectual property, whether that be proprietary software code or sensitive corporate information.
10
Gartner Magic Quadrant for Cloud Access Security Brokers October 2020
10Creating value with
a secure hybrid cloud
A secure hybrid cloud architecture can provide an enterprise with even
more effective protection than on-premises infrastructure, enabling
organizations to embed and automate many of their security controls and
audits.
With new security paradigms in place, In the hybrid cloud world, security audits, Thanks to this capability for real-time
the hybrid cloud model becomes a driver controls, patching and configuration monitoring and security analytics, and the
of overall business strategy. It enables management can all be automated, reducing ability to respond rapidly to threats, an
organizations to achieve their strategic the risk significantly. With the continuous organization can enjoy full visibility over its
goals, such as reducing time-to-market, updating of virtual infrastructure and code, operations and detect possible vulnerabilities
securing the digital and mobile workplace, the business of securing your company across different cloud environments and
and delivering Continuous Integration and becomes both more efficient and more different jurisdictions.
Continuous Delivery (CICD). effective.
With a secure, automated cloud platform,
Automation is a critical part of the cloud An automated approach, removing the enterprises will be able to adopt different
security equation. In the legacy environment, potential for human error, is key to managing approaches to application development,
many major security breaches occur when change at scale, and could very well prevent achieve their strategic goals and objectives
the IT team forgets to patch a web server in the next highly visible breach – provided the and create new value for customers and
an on-premises data center. right processes and the right technologies stakeholders.
are in place.
On the cutting edge
The principles of programmable
infrastructure, or Infrastructure as Code
(IaC), can generate significant benefits from
a security perspective, enhancing visibility
and compliance control. Not to be confused
with IaaS, by using Infrastructure as Code
organizations can code and automate
external and internal audits and compliance
testing. It represents the next, more secure
generation of infrastructure management.
Meanwhile, new possibilities are emerging
for defusing the security risks of Advanced
Persistent Threats (APTs). A combination of
the nuke-and-pave approach, in which each
workload has a lifecycle of only a few hours
and ‘canary testing’ whereby deploying a
new environment to 5%-10% of end users, the
potential longevity and capability of any such
threat is dramatically reduced.
Through 2024, the
majority of enterprises
will continue to struggle
with appropriately
measuring cloud
security risks 6.
6
Gartner: https://www.gartner.com/smarterwithgartner/is-the-cloud-secure
Building trust in Hybrid Cloud 11The Atos advantage
Atos is Europe’s number one security provider. Our customers enjoy
the full benefits of our global network of 15 Security Operations Centers
(SOCs), best-of-breed cloud security technologies and long-standing
partnerships with major cloud service providers.
Atos is a trusted partner in securing legacy We work closely to diagnose threats, advise • We are co-founders of the GAIA-X
infrastructure and cloud operations. We help on investment choices and embed a Foundation, a non-profit organization
our customers invest in the right controls culture of cyber maturity in our customers’ that creatse the next generation of data
in the right places, quickly and effectively, operations and workforce. platforms for Europe, its member states,
designing, building and operating end-to-end companies and citizens.
security across the organization. Our approach is use-case driven and tailored • We are partnering with Google Cloud
to clients’ specific needs. Whether you want to deliver secure hybrid Cloud, machine
Cybersecurity is a critical part of the four to increase your visibility of shadow IT, learning and collaboration solutions to the
offerings of our Digital Transformation comply with GDPR, enhance the security of enterprise.
Factory – Orchestrated Hybrid Cloud, Atos your data, or predict new threats, we have • We are members of the Microsoft Intelligent
Business Accelerators, Atos Codex and the services and solutions you need. Security Association (MISA) to help
Atos Digital Workplace. These offerings are organizations maximize value from native
supporting the digital strategies of customers Working with all the major Cloud Service Microsoft security with industry-leading
around the world, providing them with Providers, we add an end-to-end layer expertise in managed security services.
a secure, scalable and open platform for of security control that covers all cloud
growing their digital business ecosystem. environments as well as your on-premises Deploying our own technologies on identity
infrastructure. Being part of key alliances and and access management and encryption
In everything that we do, our approach is security organizations, we are shaping the and cooperating actively with leading
distinguished by its underlying focus on future of security: technology companies such as McAfee, we
business outcomes. We understand the risks • We are co-founders of the Charter of help organizations reassert control over their
faced by each business, customizing an Trust cybersecurity initiative promoting data and we also provide critical support in
appropriate cloud security strategy for each cybersecurity awareness and innovation. the event of any incident.
different customer.
6000+ 31 billion 15
security security events Security Operations
professionals processed perd day Centers
15 million 3.2 million 300 million +3 million
vulnerability scans tests cases endpoints secured by Atos citizens covered network equipment
by our solutions and secure mobile phones
IDnomic Evidian Trustway AIsaac
Trusted identities for Identity and Access Data Protection at rest Patented AI Platform
people and services Management and in motion
Leader Leader Niche player 3 rd Niche player Leader Leader
Managed Cyber resilience Identity Managed security Access Identify IT Security
security services services & EMEA governance services WW Management WW Provisioning Europe
Europe GDPR Services & admin WW Market share Global
WW
12Rising to the next challenges
Powered by cloud computing and automation, business technology is
leaving behind the world of servers and data centers and entering an
exciting but challenging new era. Enterprises need to adapt their security
processes and technologies to keep up with these innovations and reap
the benefits of a server-free world.
While many organizations are still coming to The rapid growth of the Internet of Things The shortage of skilled software developers,
terms with the security implications of IaaS, will exert even more pressure on security the need to reduce time to production and
PaaS, CaaS and SaaS, information technology professionals to keep up with the pace of the focus on customer-centric application
is already moving into a new paradigm of software development and innovation. development by non-IT groups has led to
Function as a Service (FaaS). an increase in the adoption of low-code and
Organizations will need to find ways to no-code platforms. These environments
In the FaaS framework, which is now maintain rigorous security controls even are used by people who are not necessarily
offered by all major cloud service providers, while optimizing their development and software specialists to deliver applications at
companies can run code and create delivery lifecycles for speed. Some early pace to address specific business needs of
microservices without the need to provision adopters are pioneering a new DevSecOps their customers.
or manage server resources. approach, to introduce security early in
the lifecycle, automating and embedding Security awareness becomes key for those
The security implications of FaaS and the appropriate controls into application who do not have the security expertise of
microservices are clear. This next generation development. skilled developers. The principles used for
of cloud computing increases the scope of “securing by design” used in traditional software
the attack surface to an even greater extent By undertaking secure by design development approaches should be applied to
than legacy cloud. In a serverless world, approaches, in which source code is analyzed low-code and no-code, best practices such as
new approaches will be required to secure for flaws as it is developed, and open source access controls, data protection and visibility
microservices. At the same time, FaaS may libraries are checked for vulnerabilities must be taken into account throughout the
accelerate the evolution of DevOps into NoOps, during the development lifecycle, the development lifecycle.
potentially reducing the role of IT operations DevSecOps approach is raising the bar for
and raising new questions for security. security. In addition to application security As the threat landscape continues to change,
testing and software composition analysis, the security strategies of all organizations
Meanwhile, new challenges are emerging, the emergence of DevSecOps could also can expect to experience severe tests.
driven by the need for continuous delivery transform compliance reporting, software Enterprises need a trusted security partner
in application development and of a ‘Shift development kits for IAM and encryption, who can adapt to the changing environment
left’ mentality, in which security controls and other frontline security challenges. and protect the full digital value chain. Only
are integrated as early as possible in the with a secure multi-cloud platform can
development cycle. businesses take full advantage of a new era
in information technology.
Building trust in Hybrid Cloud 13A hybrid cloud security checklist
When reviewing the security profile of a
hybrid cloud environment, organizations
should consider the following questions.
□ What type of cloud are you using (SaaS, IaaS, etc…)?
□ Do you know where your data is stored?
□ Do you know what type of data is stored in the Cloud?
□ Are you dealing with personal data in the Cloud?
□ What are the security & privacy risks applying to your organization?
□ How about Shadow IT?
□ What visibility do you have on Shadow IT?
□ How do you control access to Shadow IT?
□ Is your staff (internal/partner) “cyber aware”
□ Are your current security controls providing sufficient visibility, context and
insight to the threat facing your sensitive data across the hybrid cloud?
□ How could automation reduce time taken to diagnose, react and recover from
security incidents that could affect your hybrid cloud?
□ Are you leveraging native cloud provider capabilities to their fullest potential
to help you improve your security?
□ How ready are your organization’s leadership board, security and commercial
teams to manage the consequences of a high-profile cyber attack?
□ How well do you understand the cyber threat facing your organization, not
just the data you process, but also the stakeholders you work with and the
supply chain that you operate in?
□ Taking account of GDPR, NIS and other regulations, are you investing in the
right places to achieve the correct levels of security for how your sensitive
data should be protected across the hybrid cloud?
□ Do you know if the public repository images you are executing are reliable?
Contributors
Vasco Gomes Zeina Zakhour Amo Matharu
CTO Cybersecurity Products CTO Cybersecurity Head of Strategic Initiatives &
Senior expert Cybersecurity Distinguished expert Cybersecurity Cloud Security
Member of the scientific community Member of scientific community Senior Expert
14Building trust in Hybrid Cloud 15
Vision paper About Atos Atos is a global leader in digital transformation with 110,000 employees and annual revenue of € 12 billion. European number one in cybersecurity, cloud and high performance computing, the group provides tailored end-to-end solutions for all industries in 73 countries. A pioneer in decarbonization services and products, Atos is committed to a secure and decarbonized digital for its clients. Atos operates under the brands Atos and Atos|Syntel. Atos is a SE (Societas Europaea), listed on the CAC40 Paris stock index. The purpose of Atos is to help design the future of the information space. Its expertise and services support the development of knowledge, education and research in a multicultural approach and contribute to the development of scientific and technological excellence. Across the world, the group enables its customers and employees, and members of societies at large to live, work and develop sustainably, in a safe and secure information space. Find out more about us https://atos.net/en/products/cyber-security/ cloud-security Let’s start a discussion together Atos, the Atos logo, Atos|Syntel, and Unify are registered trademarks of the Atos group. February 2021. © 2021 Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos. CT-210211-SB-BDS-Hybrid-Cloud-Vision-Paper
You can also read
