Do Not Make These Mistakes When Implementing Cloud Security In Your Company

These mistakes can seriously harm your cloud security initiatives

Photo by Kind and Curious on Unsplash

A few years ago, a friend of mine — a cloud security consultant — was brought in to assess the cloud security posture of a fast-growing startup.

Their CTO proudly walked him through their recent migration to the cloud.

Everything looked slick — modern tools, impressive dashboards, and even a few AI buzzwords thrown around.

But when he asked a simple question — “Who’s responsible for patching your cloud workloads?” — the room went silent.

After a few awkward glances, someone muttered, “Isn’t that automated?”

That startup had done what many companies do: they treated cloud security like a one-time project instead of an ongoing environment.

Within six months, they had a serious misconfiguration issue that could have exposed customer data.

Fortunately, they caught it before it turned into a breach — but not every company is that lucky.

I have written many times about the importance of having a cloud security strategy for your company.

The need for a proper security roadmap — regardless of cloud model or platform — cannot be underestimated.

But one key question remains: what next? What happens after the roadmap is implemented?

This is what I want to talk about today — why a LOT of cloud security projects fail after the initial push.

What makes Cloud Security fail?

In my own experience .. some of the critical reasons that Cloud Security implementations fail are the following :

Reason 1: Treating It Like a Project And Not an Environment

The Cloud is a different animal from on-prem and an entirely new way of doing things

It is not a solution you implement and then forget about

Treating it like a project you finish and then hand over is a surefire way to have a data breach.

Treat the cloud as a separate environment as critical as your on-prem one with the same level of governance required

The Cloud is not something you do on the side while focusing on your on-prem systems

Reason 2: Not Formalizing Responsibilities

Assuming responsibilities on your on-prem environment will translate to the cloud is a dangerous assumption to make

Many companies fail to set down who will be responsible for implementing security controls, patching, monitoring, etc., in the cloud, leading to ambiguities that can be disastrous.

Ensure a formal and approved org chart is set up that establishes who is responsible for cloud security in your organization.

If your organization plans to outsource most of its cloud work, make sure your organizational chart reflects that.

Trying to figure out who will do patching in the cloud

Reason 3: Not Aligning With The Business Roadmap

Without a proper strategy, you will just be buying/implementing controls with no idea of the larger picture of the problem you are trying to solve.

Similarly, the cloud does not exist in a bubble and has to be aligned with your overall business strategy.

If the company plans to use AWS in the next three years, then investing in Azure-based security tooling is not the way to go in the long run.

Reason 4: Not Showing The Return On Security Investment

A long-running challenge in cyber-security is not having proper metrics to report to management.

Without metrics, you will not have visibility and will be unable to report the status of controls to management.

Without visibility, management will not see a return on investment and will not provide future approvals for tools you will need

The Cloud will become too cumbersome to manage until a data breach happens, and then everyone will be scrambling to put something in place, i.e., the kneejerk reaction.

Why Cloud Security Governance Is Needed

Before we get into Cloud Security Governance, let me be clear about what it is not.

Cloud Security Governance is not :

• A tool or commercial product that you implement

• A Policy that you write and then forget about after passing an audit

• A checklist

• A standard

• A certification that you acquire

Cloud Security Governance refers to a formal management model / framework you put into place to make sure all the cloud security processes remain working and functional.

This is critical, as you will be surprised to know that in many companies, there is still confusion about who will handle cloud security , who will do patching , who will report security breaches, etc.

This is why having a Cloud Security Governance model is so important.

Key components

The level and detail of a Cloud Security Governance model may change from organization to organization, but some things remain the same.

The Cloud Security Alliance also offers some excellent guidance on how to go about implementing a framework, as does Amazon Web Services.

Regardless of the organization, some of the minimum components of a cloud security governance model are :

• A formal Cloud Security policy approved by management

• A cloud security roadmap or strategy to implement that policy AND align it with the larger business strategy of the company

• A proper organizational chart formalizing who is responsible for cloud security

• Reporting metrics for senior management visibility into cloud risks

Source: Author

Create a framework with these things in mind, and cloud security will become a living, breathing entity that evolves and matures over time!

Wrapping it up .. the key questions that a cloud security governance model helps to answer are :

• What is handling cloud security in our organization?

• How secure is our cloud?

• Are our cloud security investments giving us value?

• What are the key risks we should know about?