By Ritesh Bagayat, Senior Manager, Deloitte & Touche LLP
Cloud computing has transformed the way nearly every enterprise does business today, but along with its many advantages come new security considerations. As public cloud adoption has reached 90% of global organizations, 19% of respondents to the 2019 SANS Institute cloud security survey reveal that they had experienced a breach in the previous year, a 7% increase over the previous year.
While some providers offer stronger security controls than others, security issues can stem from the way in which an organization accesses cloud services. All too often, organizations incur unnecessary risks through misconfiguration, lack of cloud-ready security strategies, insufficient access management, and ineffective monitoring for insider threats. Here’s what we’ve learned from our experience helping clients migrate enterprise software including ERP, SCM, and HCM to the cloud securely.
As a first step towards migrating to cloud, we recommend an assessment that spans across the key cyber risk domains:
While your cloud SaaS vendor is responsible for the security of the platform, your data is only as safe as your organization’s governance makes it. These are three pillars of process security — including cloud applications:
Most enterprises (over 80%) have a multi-cloud strategy, with many spanning public and private clouds. Managing this complex environment can be difficult, so we consistently recommend that our clients consolidate enterprise cyber security tools and methodologies to provide both a single pane for managing risk to their “crown jewel” data assets and leveraging native/built-in capabilities for deep analysis and monitoring. This requires keeping security top of mind from day one of cloud migration.
In fact, we often recommend initiating a security and compliance discussion during the cloud provider assessment phase. We also frequently recommend designing, building, and deploying SOD and transaction controls during the implementation process. Retrofitting these controls post-implementation can lead to significant business disruption and enterprise risk.
Historically, enterprises have used manual methods such as spreadsheets or third-party tools to manage their cyber security risks. This can not only lead to inefficiency but to risk exposure due to insecure data extractions. In contrast, a tightly integrated solution such as Oracle Risk Management Cloud can automate SOD, transaction, and configuration controls to find the optimal balance for the organization’s processes. This can lead to lower overhead, improved security posture, and audit readiness.