The cloud offers a multitude of advantages, however as with any large-scale deployment, it can also provide unforeseen challenges. The long-running concept of the cloud being “someone else’s data centre” has been a cringe moment for security pros because it reinforces the notion that security responsibility is someone else’s problem.
It is true, cloud systems, networks and applications are not physically located within a company’s environment; however, security responsibility and risk mitigation certainly are. Cloud infrastructure providers manage how the environment is set up and monitored, as well as what is put into it and how data is protected. What is most important, however, is how risk is managed to provide alignment with the existing security framework.
Risk and Privacy
GDPR and its ‘sister’ policies in the US (as seen with Arizona, Colorado and California) have meant organisations are being faced with increased requirements for protecting data in the cloud. While it used to be as simple as deploying Data Loss Prevention (DLP) in a data centre, nowadays, due to data centre fragmentation, this is no longer viable. There are now services, systems and infrastructure that are no longer owned by the organisation, but still require visibility and control.
Managing cloud services and infrastructures that share or exchange information can also become difficult to manage. For example, who owns the SLAs? Is there a single pane of glass that monitors everything? DevOps has forced corporations to go as far as implementing micro-segmentation and adjusting processes around firewall rule change management. Additionally, serverless computing has provided organisations with a means by which they can cut costs and speed productivity by allowing developers to run code without having to worry about platforms and infrastructure.
Yet, without a firm handle on virtual private clouds and workload deployments, things can quickly spin out of control and data can begin leaking from one environment just as a comfortable level of security is achieved in another.
Several steps can be taken to help mitigate risk to an organisation’s data in the cloud.
Design to align. First and foremost, organisations must align cloud environments with cybersecurity frameworks. Quite often, organisations move to the cloud so rapidly that the security controls historically applied to their on-premise data centres – which have evolved and hardened over time – do not migrate effectively or even map directly to the cloud. Organisations may also relax the security microscope on certain legitimate business SaaS applications. However, without the right visibility and control, data may end up being leaked. Aligning cloud provider technology with cybersecurity frameworks and business operating procedures provides for a highly secure, optimised and more productive implementation of a cloud platform, giving better results and a successful deployment. Being able to do this while implementing the cloud technology can assist in demonstrating measurable security improvement to the business by providing a ‘before and after implementation’ picture.
Make yourself at home. Cloud systems should be treated the same way you would treat your Local Area Network (LAN) and Data Centre. For example, Amazon’s Shared Responsibility Model outlines where Amazon’s security responsibility ends and its customers’ responsibilities begin. While threats at the compute layer exist, as can be seen with Meltdown, Foreshadow and Spectre, recent cloud data breaches have shown a breakdown in an organisation’s security responsibility area – namely operating system security, data encryption and access control. If an organisation has standards that govern the configuration of servers, vulnerability management, patching, IAM, encryption, segmentation, firewall rules, application development and monitoring, see to it that those standards are applied to cloud services and are audited regularly. Routine assessment of cloud infrastructure architectures by a third party can be performed just as effectively as a review of LAN and Wide Area Network (WAN) for best security practices.
Stop the “sneaking out at night”. Not long ago, employees could be seen setting up unsecured wireless access points in an attempt to gain more flexibility and efficiency with their every-day jobs, much to the disgruntlement of their employers. Fast forward to today, wireless controllers providing rogue detection and Internet Provider Security (IPS) capabilities have helped to reign in that type of activity. With the cloud, employees are setting up cloud storage accounts, serverless computing environments and virtual private networks as needed to circumvent lengthy and cumbersome change control procedures, cut costs and gain similar flexibility and efficiency. By rearchitecting legacy networks, re-adjusting decades old processes and procedures, implementing cloud proxy or CASB technology, coupling that with strong endpoint security controls and an effective awareness campaign, organisations can provide that level of flexibility and efficiency but still provide for data protection.
Keep a close watch. The Cybersecurity Operations Centre (SOC) should no longer be concerned with just the local network and data centres. The operational monitoring procedures, threat hunting, intelligence and incident response that the SOC use also apply to cloud environments where the organisation’s data resides. Shifting from a culture of “do whatever it takes to get the job done” to “do what is right for the business” takes a coordinated effort and time. It is also deeply rooted in the mentality that security has to become a business enabler rather than continuing to be in the business of ‘no’.
Above all, organisations need to include security in technology decisions if security is to continue to protect the business. And, security teams must understand the needs of the business and changes in technology in order to be that all-important enabler. In order to help to prevent people from seeking their own solutions to technology problems, IT and security teams must evolve their assets and functions in order to accommodate speed and convenience, or else constantly find themselves trying to keep up.
Derrick Johnson, national practice director for secure infrastructure services, AT&T Cybersecurity