The global pandemic has been dictating how the whole world is reforming, businesses included. Different forums and analyst reports are increasingly calling out the future of businesses as they are moving their workloads to the cloud gradually. IDC “expects 2021 to be the year of multi-cloud” as the global COVID-19 pandemic reinforces the need for business to be agile.

According to Forbes, “The current pandemic gives cloud computing a needed jolt;” they envision a resilient cloud-based digital infrastructure for businesses of every size and scale on the rise. Cloud services providers, big or small, are booking higher revenues as they onboard newer customers.

With this new stream of transformation, enterprises are concerned about the overall security and transparency around their data being hosted with cloud services providers (CSP). This varies with the cloud service model (infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS)) and the architecture model (private, public or hybrid). The dimension of multiple cloud vendors represented by multi-cloud and hybrid-cloud arrangements bring in additional security considerations as they emerge.

The security concerns around moving to the cloud have not receded a lot. But, today, a need to run businesses efficiently in an altered world is a compelling priority. With an ad-hoc security strategy and roadmap, data on the cloud is subjected to higher risks and exposure. Some of the areas that remain in the haze are: “Is my data secure in the cloud?”; “What happens if the CSP employees get access to confidential data?”; “Is the CSP taking care of all my security needs?”; “How do I get the assurance report when regulators or auditors are asking for one?”; and “Does the CSP have a formal and implemented process for breach identification and notification?”

So, in order to securely run operations on the cloud and have these questions answered, here is a quick three-pronged approach that can be adopted to have a better security posture as you migrate to the cloud.

1. Assessing the risks and putting together a pragmatic plan

It is important to take a data-centric view of your business while moving to the cloud. A due-diligence study could be beneficial, especially one that identifies and addresses:

    1. What are the data sets we intend to migrate to the cloud? Which applications, databases and tools are hosting and processing these data sets?
    2. What are the regulatory requirements around the identified data from a transborder data movement and data access standpoint?
    3. Do I have policies and security baselines defined that I can share with the CSP to be enforced once my workloads?
    4. What are the encryption measures adopted as of today, and how would they translate to data in transit, motion and use once they are moved to the cloud?
    5. What is the data flow between applications, databases to the end users today – what would the architecture and data flow look like when in the cloud?

There could be more areas to look at when we want to confirm that data is being handled with adequate security measures on the cloud. The outcome would bring in a clear and documented cloud security roadmap to be communicated and agreed upon with the CSP; the degree of agreeability is maximum for an IaaS model, less with PaaS and least with SaaS. Nevertheless, a due diligence assessment provides a clear picture of the risk landscape in the new configuration.

2. Knowing the responsibilities for which you are accountable

While the infrastructure, databases, storage and middleware or even applications can be provisioned by the CSP, the accountability still remains with the enterprise (cloud consumer). Identifying the security and risk management roles and responsibilities shared by the CSP and the businesses (cloud consumer) is critical; a clearly chartered shared responsibility model is the way to go.

The previous phase would provide inputs on the security aspects that the enterprise is still responsible for post-migration.

It is immensely important to have the following measures before you migrate to cloud:

    1. Inventory of applications, databases, tools and technologies planned to be migrated to cloud; security policies, processes and baselines and security management tools and technologies.
    2. Mapping the various data sets to the above and identification of potential risks.
    3. Mapping the security responsibilities for each of the above to the CSP or the cloud consumer.
    4. Documentation and agreements around running the security checks where examples are privileged access monitoring, system access logs and alerts and exceptions, vulnerability scanning schedule and reports and the list could be long.

Having a clear picture of the responsibilities means there is a predictable security risk management process to be enforced on an ongoing basis.

3. Defining transparent and agreed upon contractual clauses

A big share of security concerns around cloud services center on transparency around security measures and auditability in cloud. This can be addressed to a great extent by defining and agreeing on security service level agreements (SLA). Security SLAs are defined based on the business landscape, data security requirements and threat landscape are great ways of gaining adequate visibility through the cloud lifecycle.

A due diligence risk assessment can help identify effective and measurable security SLAs across areas like logging and monitoring, privileged access management, incident reporting, regulatory reporting, right to audit and backup and availability. This can provide inputs for measurable metrics, which can be configured and monitored through appropriate cloud security posture management (CSPM) tools across the lifecycle.

Post-pandemic businesses are witnessing a culture shift in terms of user behavior, as well as predictability in data sets spread across multiple platforms, systems and service providers. Already, we are hearing about data breaches and losses being reported.

Security Magazine reports, “Attacks have always been socially engineered to prey on people’s fears, habits and, ultimately, their bank accounts, but the exploitation in the COVID-19 era is nothing short of sinister.”

The in-house cybersecurity skills gap has already been spoken of in various forums. Now, with newer skill requirements, it is even bigger a challenge. It would be wise to have a thorough understanding of the new threat landscape and move ahead with a detailed strategic roadmap. Engaging with a trusted advisor like IBM’s Cloud Security Strategy Service can particularly help in building the roadmap with the right level of expertise and experience. A team of advisors can bring in their expertise and industry knowledge to build the right security strategy and framework for pre- and post-migration to cloud.

More from Cloud Security

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges

View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…