How organisations secure their cloud environments

Security within an organisation was once entirely an on-premise solution, these days it is now a hybrid of cloud and on-prem or in some cases, completely cloud-based. 

Luke Barker, head of cybersecurity ANZ at BT told Digital National Australia about how organisations secure their cloud environments.

He said, “Traditionally, most security controls up until 10 years ago, were hardware based. So you're talking about your firewalls, your proxies, or software-based, your endpoint agents. We've seen a real trend in the last 10 years where a lot of that capability now is delivered via cloud or cloud-enabled.”

Barker used the example of endpoint security where much of that is a lightweight agent deployed on the endpoint, but most of the capabilities are delivered from the cloud.

“The same with cloud-based secure web gateways. Rather than using hardware in a gateway, now an internet gateway, that's all delivered from a cloud and those vendors have points of presence all around the world to service their customers in each location,” he said.

“We've seen a real trend in the market, within our client base to adopt cloud-based security controls that are delivered from cloud data centres and also very much software based. We rarely see hardware-based security controls anymore other than firewalls or other where other than where it's needed.”

To make sure that employees understand cybersecurity risks, Barker said that businesses are beginning to implement more educational programs for their staff.

“It's moving away from being purely technical focused in security, to being more business orientated and being integrated within the entire business stack. That includes all of the people who work for that organisation,” he explained.

Barker said most of the security breaches in an organisation happen at an employee’s hand, not maliciously but by accident.

“It's someone not fully aware of what they're doing clicking on a link, downloading something they shouldn't, uploading something they shouldn't. That's why a lot of organisations are now spending a lot of time on cybersecurity awareness training around best practices and what to do in certain scenarios.

“There's a lot of organisations now who deliver phishing programs, where they basically phish their employees to try and teach them not to do the right thing and not to do certain acts. You can report things now to your security teams internally as a user that you find a bit suspicious,” he added.