Can I get a bit of cloud, please?

Greetings to everyone. This week, I wanted us to talk a bit about cybersecurity processes in cloud infrastructures. Does the cloud provide security for us? What should we pay attention to, especially in terms of cybersecurity, when transitioning to the cloud? Let's take a look.

Does the cloud provide security for us?

It's challenging to give a clear answer to this question.

Do you think it does? Certainly, it establishes a security foundation.

However, is it sufficient? Unfortunately, it's not.

Therefore, planning the security approach according to the needs of the organization is crucial. I recommend reviewing the frameworks published by NIST since 2011 for planning and security programs. You can find technical and process-related details for the activities to be carried out.

Actually, what I want to talk about is the often overlooked principle of shared responsibility when it comes to cloud security. Despite 1st-level service providers (AWS, Azure, Google Cloud) clearly stating their security approaches and principles, many organizations are not aware of this. The shared responsibility principle actually shows that organizations are still on their own in terms of business-focused cybersecurity.

The situation is even more different for local cloud service providers. Cloud technologies are not only for cost savings, but also support businesses in improving efficiency, competitiveness, and digital transformation. However, due to the perception in the Turkish market being cost-focused and the decrease in profit margins, we see that cybersecurity services are not developing or are limited to a specific area.

Although private companies currently seem to be the driving force behind the development of the Turkish cloud market, I can mention that a significant market has been reached in the public sector as well, thanks to some SaaS services. I believe that the publication of public cloud regulations will contribute to the development of the market in the public sector in the new year.

So, what should we pay attention to when transitioning to cloud infrastructures? Firstly, we must be clear about the programs and needs. Hybrid structures will play a more prominent role in our lives. This will depend on tightening control mechanisms and making them independent and mutually controlling. I am not talking about an easy situation, but I am talking about a successful issue with the right program and timing. As I have mentioned in my previous writings, the influence of organizational culture on this matter is crucial.

Despite many points that need to be controlled, I want to emphasize identity management separately. Because, no matter what security application you use, we still see that these applications fall short when identity is not organized clearly in the organization. Despite segmenting the network, determining access at the application layer, and ensuring data security and integrity, we still need identity management. When we add the accounts used in inter-application robotic processes to this, we see that the situation becomes even more chaotic.

In short, when integrating your systems with cloud infrastructures, you need to pay attention to identity and access management with a process, technology, and human approach.

Hope to see you next week in a new article about process management and data management.