As businesses migrate to cloud, they are not putting the foundational security controls in place, such as identity and access management, and logging and monitoring.

This often means that when a security incident occurs, there are no logs or information which could be used to investigate the incident.

So says Jared Naude, software engineer, cloud security at Synthesis Software Technologies, who will be speaking at ITWeb Cloud Summit 2019, to be held on 12 February at The Forum in Bryanston.

Commenting on the security complexities associated with today's multi-cloud environments, Naude says many businesses are not taking into account the new risks that cloud poses, and they are not adopting an appropriate threat model, with security controls that can mitigate these risks.

Multi-cloud challenges

In Naude's experience, local enterprises that have adopted a multi-cloud strategy are finding it extremely difficult to operationalise their cloud environments effectively.

"The first major challenge is that businesses try to use a set of organisational principles and standards that they apply everywhere. However, this does not work well, as every cloud platform has its own set of constraints and associated risks that needs to be assessed and mitigated with appropriate controls. These complexities include how these environments are accessed, how data is protected, how data is encrypted, and how monitoring and alerting are configured."

The second major challenge, he says, is that due to the massive skills shortage in SA, organisations are struggling to operationalise even a single cloud environment, and find operationalising multiple cloud environments out of their reach.

This is why internal skills development, training and scaled learning within the organisation is absolutely crucial to the success of a cloud migration journey, he stresses.

Shared responsibility

In order to relieve operational burden, some organisations are turning to a shared responsibility model, Naude says.

"With a shared model, the cloud provider will provide security ‘of the cloud', meaning they will protect the infrastructure that runs all of the services offered in cloud. This includes high-speed networking, data redundancy, fire protection and physical security, among many others."

Customers are responsible for security 'in the cloud', meaning all the service configurations, security configurations, account access control, patches, network security controls, monitoring and the security of applications is their responsibility.

"Using this shared responsibility model means that businesses can save a substantial amount of money on staff and underlying infrastructure and security controls that a typical data centre requires. This frees up time and budget which could be focused on revenue-generating activities."

Delegates attending Naude's talk will learn how to secure workloads in the cloud, from crafting a strategy, to engineering.