Cloud computing introduced a paradigm shift in how companies operated, maintained and spent on IT. Through its varied service models (IaaS, PaaS and SaaS), it offers companies the ability to spin up their infrastructure in minutes, auto scale on demand, pay only as per use and offset significant IT costs spent on running and maintaining expensive datacentres albeit at the expense of reduced granularity and control over infrastructure resources.
Whilst the last decade saw a number of enterprises experiment with cloud deployments, the verdict on its business value was still unclear. This has however changed in recent years, primarily due to the speed and tremendous growth of some of cloud’s early adopters (like Netflix and Spotify), which have made cloud a central part of every CIOs digital transformation strategy today.
The Challenge
However, the paradigm shift brought by the cloud has also meant that organisations need to adapt their current operating models and overcome a number of challenges to unlock the true business value from their cloud deployments.
Cloud security is one such challenge since the traditional perimeter based “castle and moat” approach used by enterprises for security does not bode well in the new hybrid environment where enterprise IT consists of a mix of SaaS, on-prem and public cloud deployments.
Not-so-distant examples of high-profile data breaches in the cloud are a stark reminder of the need for cloud security. The global pandemic due to COVID-19 has only intensified cyber-criminal activity, with a recent analysis by the IBM X-Force IRIS team of cloud security incidents identifying data theft, cryptomining, and ransomware as the top three threats to the cloud.
So How Do You Secure Your Cloud Journey?
Enterprise CISOs need a programmatic approach that can be applied at any level, irrespective of the state of your cloud journey (initial adoption, in transformation, mature steady state environment).
Part 1: Plan (or Review)
As a first step in securing your cloud journey, you must plan (or review) your strategy and roadmap. This means assessing the current state of your IT and cloud security maturity (spanning across business and technical needs).
The Cloud Controls Matrix from the Cloud Security Alliance is a good tool for performing such an assessment. If your enterprise does not yet have a cloud implementation, then its 197 control objectives can act as a good guide for defining security controls that need implementation. For existing cloud deployments, organisations may additionally use a cloud security posture management tool for checking their resource configuration compliance.
What’s Right for You?
Once you have assessed your current state maturity, you must define your desired target state. This should be based on your organisation’s risk appetite, your regulatory and compliance requirements, as well as wider business goals and objectives.
You can then identify the gap in skills and processes between your organisation’s current state and desired state maturity. The final outcome of the planning phase should be a roadmap of activities you need to transition to a targeted state. For organisations that are already operating in a steady state environment, the planning phase acts as a reset to allow you to review your cloud security maturity and to adjust your strategy and roadmap accordingly.
Part 2: Build (or Design and Build)
The specifics of the next step depend on the outcome of your planning (or review) phase and the roadmap you made. Next, you should begin a program of work to achieve your desired target state.
Depending on where you are in your cloud adoption journey, your roadmap will be unique to you. For example, if you are early in your cloud adoption journey, your roadmap may include defining your cloud security policies and requirements, defining your security architecture principles, architecting your secure landing zone and creating hardened configurations for your cloud infrastructure.
Whereas, if you are already operating in the cloud, your build phase may include activities for remediation of identified gaps from your cloud security posture assessment and/or augmentation of existing cloud security controls based on new requirements.
The key during your build phase is to ensure you integrate security by design. In other words, your security controls should be automatically provisioned to meet your corporate and regulatory compliance requirements. Whilst this was a stretch a few years ago, the advent of technologies such as Infrastructure-as-Code (IaC) has made this a very achievable outcome.
Part 3: Run (Optimize)
As you close your final roadmap of activities, you must now start preparing for the transition to steady state. Ideally, by now you would have built and augmented your cloud security controls and processes across each of the below areas (at a minimum):
- Governance and Resources — Developed a security organization model suited for operating in the cloud, along with a team of skilled resources supporting it.
- Identity and Access Management (IAM) — Developed an IAM strategy for your hybrid or fully cloud-native environment. Built, deployed and operationalized IAM services such as single sign-on/federation (with multifactor authentication) across your environments; and have properly tested and configured IAM security policies to ensure authentication and access control is maintained according to a least privilege model.
- Infrastructure Security — Created hardened IaC templates for your cloud resources. At this stage, you should have enabled secure connections to and from your cloud and on-prem tools. You should also have a secure landing zone for migrating your on-prem apps and data to the cloud.
- Application Security — Created and operationalized a well-defined DevSecOps process that includes security touch points (code reviews, static application security testing/dynamic application security testing scans and smoke tests). These should be built into the various phases of your continuous integration/continuous deployment pipeline. You should also have deployed and enabled runtime safeguards for web security, such as distributed denial-of-service (DDoS) protection, firewalls, application programming interface gateways and application load balancers.
- Data Protection — Defined data encryption policies and guidelines that guide your data at rest and data in transit encryption requirements. Deployed capabilities for data loss prevention, data encryption and key lifecycle management in line with your regulatory and compliance needs.
- Logging and Monitoring — Enabled logging of security events, and network flows from across your environment. Perform vulnerability scanning / continuous compliance monitoring of your on-prem / cloud resources and a have single pane of glass to centralize security visibility.
- Cloud Incident Response — Developed a cyber incident response (IR) plan with defined playbooks to cater to a variety of cloud security incidents. Perform table-top testing of your IR plan at least on an annual basis.
Making Your Cloud Security Transformation Journey Smoother
Whilst there are many challenges to achieving a successful cloud security transformation, opting for a strategic Systems Integrator (SI) and Managed Security Services provider like IBM Security can certainly help make the journey smoother.
Systems Integrators bring in a wealth of experience and know-how of having delivered transformations, and also provide seasoned security resources and skills that can accelerate your transformation journey. For more information on how IBM Security can help secure your cloud journey, please visit IBM Security – Cloud Security Solutions.
Senior Managing Consultant, IBM