While most large enterprises are moving to the cloud in some form, the path is never as direct as chief information officers (CIOs) and chief information security officers (CISOs) might like it to be. Most come to terms with the fact that the cloud won’t be a single offering, but rather a hybrid multicloud that aligns critical applications with cloud service offerings that best suit their needs.
The journey to the cloud can be manageable, but it requires proactive planning and execution by a team with the right skills and domain knowledge. When conducted haphazardly, migrating to a hybrid multicloud too often disrupts an organization’s existing security controls.
Cloud service providers (CSPs) may boast about robust security measures, but those controls only apply to the subset of your data in their environment. Even then, those controls may not apply to tools or practices that a CSP believes are within the customer environment “boundary.” In most clouds, it’s still the responsibility of the customer to implement at least some security controls, and a hybrid multicloud approach means there are even more boundaries to understand, controls to manage and opportunities for security gaps that increase risk to the organization.
By combining a strategic cloud security program with the right security tools and services, organizations can tackle cloud migration with confidence that risks will be managed effectively.
Who Is Responsible for Securing Assets and Operations in the Cloud?
When migrating to the cloud, it’s natural to assume that the CSP will shoulder at least some of the burden of protecting your data. After all, you controlled security from the ground up in your data center, so if you own less, the CSP must own more. This is true to an extent, but it must never be forgotten that you are in charge of protecting your data. If you can control something in the cloud, there’s a good chance that the CSP believes it’s your responsibility to secure.
In infrastructure-as-a-service (IaaS) offerings, the boundary between client and provider responsibility is usually considered to be the hypervisor, so you’re free to configure your operating system as securely as you want based on the risk tolerance of your organization. For platform-as-a-service (PaaS) offerings, some elements of the operating system may be controlled by the provider, but the application is usually yours to configure, including in container-based offerings. Even in a software-as-a-service (SaaS) environment, the CSP usually won’t control how or why you choose to grant access to users.
Shared Risks? How?
A boundary is a good thing! Your data is yours, your time and money are yours, and you should be empowered to manage risk based on your mission and needs. However, it’s your responsibility to understand the security functions you’re leaving back at your data centers, then develop a plan to replicate and improve upon that functionality in your multicloud environment. Application security testing, scanning, agent-based security tools, security information and event management (SIEM) and more are just as relevant in the cloud as they were before — even more so, in fact, given how easy it can be to deploy applications and scale up aggressively in the cloud.
A cloud offering may provide some of these services, but without a full-scope security program that addresses strategy, operations and risk management, an organization won’t truly understand where its responsibilities end and the cloud provider’s begin.
Think Big Picture to Build a Strong Cloud Security Strategy
There’s no need to overcomplicate your cloud security strategy at first. Organizations can do a few simple things upfront that can greatly reduce headaches down the line, and it helps to strategize in terms of big-picture capabilities rather than specific tools or detailed processes.
One of the most critical tasks to achieve cloud security happens to be one of the easiest: Ask your CSPs if they can provide a customer responsibility matrix (CRM), preferably even before you purchase any cloud services. This document describes the security controls that are the responsibility of the CSP, the controls that they assert are fully the responsibility of the customer, and controls that are shared across the customer/provider boundary. It may contain hundreds of controls and be a bit difficult to parse, but it will provide tremendous insight into what the boundary looks like and where responsibility lies.
Concurrently, don’t be afraid to get help with the big picture. The National Institute of Standards and Technology (NIST) in the U.S. has long been the key technical resource for federal agencies and commercial entities providing federal IT services, and in 2014, NIST released the first version of its Cybersecurity Framework. Although this was informed by the highly structured frameworks the U.S. government mandates for federal systems and the commercial clouds that host them, it was specifically developed for use by private sector organizations. The framework illustrates the simple concepts that form the foundation of an effective cybersecurity program: identify, protect, detect, respond and recover.
A strong strategic plan will help you incorporate these functions into your multicloud approach, translate them to detailed security practices and develop a governance capability that enforces consistency across your environment. Armed with detailed knowledge about your clouds and a rock-solid strategy, you can start to integrate security services that best fit your needs. There’s no getting around the fact that security will look a little different in each cloud, but a managed security services provider (MSSP) with experience providing services across complex cloud environments can help you fill in the gaps.
Adopt Proven Cloud Security Practices
The advantages of migrating to the cloud (or clouds) are numerous. To the extent that there are disadvantages, especially security disadvantages, most of them are simply the result of not having experienced security professionals that can make sense of it all.
Start with security strategy. In order to develop a secure migration strategy, organizations need to understand the as-is environment in their data centers, the to-be environment in the offerings that make up their hybrid multicloud, how risks change as resources move to the cloud and how to develop milestones that mitigate those risks. Strategic advisors with deep cloud experience can help you develop the security governance plan that will prevent a migration from spiraling into chaos, then enable effective risk management as the organization moves toward cloud maturity.
Next, cloud-optimized managed security services can help you turn a great migration strategy into reality. Security isn’t set in stone once the migration is complete, and strong security services are the key to maintaining NIST’s five cybersecurity functions throughout the system development life cycle (SDLC). These services can include SIEM, endpoint security, penetration testing, incident response, threat intelligence and more so that security within your cloud boundary is covered.
Finally, migration may be a good time to consider architectural changes that take advantage of the best that security technology has to offer. When secured correctly, containers often provide significant advantages over more traditional architectures. Using platforms that leverage containerization, organizations can build and scale applications quickly, simplify the relationship between developers and their IT resources, and use the container structure to more easily manage and secure critical data. A security services provider with container experience can then extend protection across your environment by performing monitoring, scanning, governance and more.
As long as you understand where your cloud boundary is, what security capabilities you need to bring to the hybrid multicloud and how you plan to govern multiple clouds under one security program, you’ll be set up for cloud migration success. No one service can make you perfectly safe, but planning and executing the right set of cloud security services will lower risk, improve response capabilities and, ultimately, allow you to reap the benefits of the cloud with confidence in your security program.