Aside from the technical challenges of embracing cloud computing, businesses in the region need to be cognizant of cloud-centric cybersecurity.

In Q2 2020, enterprises were rushing to adapt to unprecedented levels of employees working from home (WFH), and McAfee Labs observed an increase of almost 12% in threats per minute due to the cybersecurity challenges of hastily-implemented remote-working.

The situation continues to escalate, with bad actors using increasingly-sophisticated techniques to attack organizations of all types.

As enterprises turn to cloud computing and WFH for operational continuity, it is important to understand how multi-cloud infrastructures (which we will refer to simply as ‘multi-cloud’) pose unique challenges that must be anticipated by CISOs—whether public or private—in order to stay secure.

Multi-cloud threats in APAC

Multi-cloud combines many of the benefits of cloud computing with the practicalities necessary for organizations unable to fully commit to cloud infrastructure. This offers organizations benefits in costs, flexibility, and scalability.

However, the path to migration is fraught with potential issues. Organizations working with substantial legacy workloads may not be able to move everything to the public cloud. Modernizing and migrating apps or data that have historically been managed on-premises can be too resource-intensive for organizations to manage. Typical organizational issues such as bandwidth and lack of technical expertise are also a concern.

IDC reports that 85% of enterprises in the Asia Pacific region (APAC) were rated only two out of five in its so-called ‘cloud maturity model’, indicating that cloud investment in APAC is urgently needed. Even countries that are more digital- and cloud-native are not exempt.

Securing multi-cloud adoption

Therefore, as APAC organizations move to multi-cloud, CISOs should keep three key points in mind.

  1. There is no one-size-fits all hybrid environment
    Organizations have adopted various capabilities that have unique gaps that must be filled. A clear system for how organizations can successfully fill these gaps will take time to develop.

    Industries may be some ways away from clearly assessing their models, and only from there will they be able to fill their gaps accordingly. IDC data finds that just 42% of IT departments expect more IT investment to be available in 2021, despite the clear takeaway from the pandemic that many organizations’ IT solutions—and by extension, their cloud workloads—need to be more resilient, secure, and strategic.
  2. Zero-trust will continue to evolve in terms of its definition
    The zero-trust paradigm requires an organization to complete a thorough inspection of its existing architecture. It is a relatively new concept in APAC and still gaining momentum. In Oct 2020, Forrester noted that no APAC government had adopted zero trust as its cybersecurity agency’s framework, a key signpost for widespread adoption.

    As zero trust evolves into a widely-implemented framework, organizations will begin to understand how to work with and update the processes turn it into a true strength.
  3. Strategies for data protection must have a cohesive enforcement policy
    A consistent enforcement policy is key in maintaining an easily-recognizable strategy for data protection and threat management. Conditional and contextual access to data is critical for organizations to fully accomplish cloud-based collaboration across teams.

    This is in line with McAfee’s recommendations to implement security-first thinking across entire organizations, in a true culture of security. Embedding security is not a one-time event, and requires ongoing education through a variety of channels, reinforced by direct management and across peer groups.

Insight from the front lines

One recent tactic that scammers were seen to utilize is familiar in nature, but likely to pose risks given the current widespread WFH situation. In this attack vector, scammers pretend to be emailing from different cloud storage platforms to steal login details, including usernames and passwords.

Pretending to be government officials, the scammers reach out to targets to phish information. The targets are enticed to click through the email to a site where they can enter their login details. The scammers use a repurposed screenshot of a login prompt.

It is helpful to remember that governments generally do not email recipients for input without prior warning, especially sharing unrequested documents. In this case, users can verify the sender email address and location in the email headers. They can also visit the legitimate site of the government or call up the agency in question to verify legitimacy of the situation.

Users can mitigate this by being aware that legitimate sites will never host login landing pages on other domains. This is often a tell-tale sign that users may be the target of scams or phishing attacks.

The way forward

Whether organizations are moving to multi-cloud via strategic or unforeseen necessity, security must be aligned with the infrastructural change by CISOs and their teams.

Stay in contact with cybersecurity partners and peers; to keep up-to-date with the latest threat intelligence. As they comprise the forefront of industries in transition, their experiences will be the best guide for executing multi-cloud migration and maintenance successfully.

This transition requires organizations to commit fully (and not treat multi-cloud as just a waypoint) in order to keep data and other key assets safe and secure.