The global pandemic has been dictating how the whole world is reforming, businesses included. Different forums and analyst reports are increasingly calling out the future of businesses as they are moving their workloads to the cloud gradually. IDC “expects 2021 to be the year of multi-cloud” as the global COVID-19 pandemic reinforces the need for business to be agile.
According to Forbes, “The current pandemic gives cloud computing a needed jolt;” they envision a resilient cloud-based digital infrastructure for businesses of every size and scale on the rise. Cloud services providers, big or small, are booking higher revenues as they onboard newer customers.
With this new stream of transformation, enterprises are concerned about the overall security and transparency around their data being hosted with cloud services providers (CSP). This varies with the cloud service model (infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS)) and the architecture model (private, public or hybrid). The dimension of multiple cloud vendors represented by multi-cloud and hybrid-cloud arrangements bring in additional security considerations as they emerge.
The security concerns around moving to the cloud have not receded a lot. But, today, a need to run businesses efficiently in an altered world is a compelling priority. With an ad-hoc security strategy and roadmap, data on the cloud is subjected to higher risks and exposure. Some of the areas that remain in the haze are: “Is my data secure in the cloud?”; “What happens if the CSP employees get access to confidential data?”; “Is the CSP taking care of all my security needs?”; “How do I get the assurance report when regulators or auditors are asking for one?”; and “Does the CSP have a formal and implemented process for breach identification and notification?”
So, in order to securely run operations on the cloud and have these questions answered, here is a quick three-pronged approach that can be adopted to have a better security posture as you migrate to the cloud.
1. Assessing the risks and putting together a pragmatic plan
It is important to take a data-centric view of your business while moving to the cloud. A due-diligence study could be beneficial, especially one that identifies and addresses:
- What are the data sets we intend to migrate to the cloud? Which applications, databases and tools are hosting and processing these data sets?
- What are the regulatory requirements around the identified data from a transborder data movement and data access standpoint?
- Do I have policies and security baselines defined that I can share with the CSP to be enforced once my workloads?
- What are the encryption measures adopted as of today, and how would they translate to data in transit, motion and use once they are moved to the cloud?
- What is the data flow between applications, databases to the end users today – what would the architecture and data flow look like when in the cloud?
There could be more areas to look at when we want to confirm that data is being handled with adequate security measures on the cloud. The outcome would bring in a clear and documented cloud security roadmap to be communicated and agreed upon with the CSP; the degree of agreeability is maximum for an IaaS model, less with PaaS and least with SaaS. Nevertheless, a due diligence assessment provides a clear picture of the risk landscape in the new configuration.
2. Knowing the responsibilities for which you are accountable
While the infrastructure, databases, storage and middleware or even applications can be provisioned by the CSP, the accountability still remains with the enterprise (cloud consumer). Identifying the security and risk management roles and responsibilities shared by the CSP and the businesses (cloud consumer) is critical; a clearly chartered shared responsibility model is the way to go.
The previous phase would provide inputs on the security aspects that the enterprise is still responsible for post-migration.
It is immensely important to have the following measures before you migrate to cloud:
- Inventory of applications, databases, tools and technologies planned to be migrated to cloud; security policies, processes and baselines and security management tools and technologies.
- Mapping the various data sets to the above and identification of potential risks.
- Mapping the security responsibilities for each of the above to the CSP or the cloud consumer.
- Documentation and agreements around running the security checks where examples are privileged access monitoring, system access logs and alerts and exceptions, vulnerability scanning schedule and reports and the list could be long.
Having a clear picture of the responsibilities means there is a predictable security risk management process to be enforced on an ongoing basis.
3. Defining transparent and agreed upon contractual clauses
A big share of security concerns around cloud services center on transparency around security measures and auditability in cloud. This can be addressed to a great extent by defining and agreeing on security service level agreements (SLA). Security SLAs are defined based on the business landscape, data security requirements and threat landscape are great ways of gaining adequate visibility through the cloud lifecycle.
A due diligence risk assessment can help identify effective and measurable security SLAs across areas like logging and monitoring, privileged access management, incident reporting, regulatory reporting, right to audit and backup and availability. This can provide inputs for measurable metrics, which can be configured and monitored through appropriate cloud security posture management (CSPM) tools across the lifecycle.
Security Magazine reports, “Attacks have always been socially engineered to prey on people’s fears, habits and, ultimately, their bank accounts, but the exploitation in the COVID-19 era is nothing short of sinister.”
The in-house cybersecurity skills gap has already been spoken of in various forums. Now, with newer skill requirements, it is even bigger a challenge. It would be wise to have a thorough understanding of the new threat landscape and move ahead with a detailed strategic roadmap. Engaging with a trusted advisor like IBM’s Cloud Security Strategy Service can particularly help in building the roadmap with the right level of expertise and experience. A team of advisors can bring in their expertise and industry knowledge to build the right security strategy and framework for pre- and post-migration to cloud.
Managing Consultant, IBM Security
I am a Managing Consultant working with IBM Security from the GID team. I have been working with IBM for the last 7+ years where I have led many security tra...