Cloud Security Planning in the Time of Social Distancing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud
Commentary
3/20/2020
08:00 AM
Connect Directly
Twitter
RSS
50%
50%

Cloud Security Planning in the Time of Social Distancing

With organizations compelled to push work out to remote, cloud security becomes a very tangible matter.

The rapid move to remote work can raise security questions for organizations that must now lean heavily on their cloud resources. In some cases, teams may be relying on familiar systems and platforms that were established well in advance because of accelerated digital transformation and cloud migration. For other organizations, this may feel like a trial by fire. Security solutions company Optiv and enterprise software developer Atlassian offer some insight on what organizations should consider when it comes to cloud security concerns during the COVID-19 outbreak.

Image: Mikko Lemola-AdobeStock
Image: Mikko Lemola-AdobeStock

Adrian Ludwig, Atlassian’s chief information security officer, says his company has employees around the world and the majority of the business is cloud based. “With two exceptions, we don’t run our own data centers,” he says. Employee laptops make up the primary hardware used by Atlassian, Ludwig says, and in recent years, the company put security measures in place to authenticate devices people use. Even with those steps, he says the company still ran into some hiccups in recent weeks when the entire team was directed to work from home. “The capacity we had for our VPN was nowhere near as large as it needed to be,” Ludwig says. “That was found out in a rolling cascade of failures.”

This led to changes in routing, he says, in order to restore secure access to services. Atlassian follows the zero-trust networking principle with different corporate applications assigned varying levels of protection. “Our most sensitive applications are only accessible from a corporate device,” Ludwig says, with less-sensitive areas available through personal devices.

Adrian Ludwig, AtlassianImage: Atlassian
Adrian Ludwig, Atlassian

Image: Atlassian

Security steps that he recommends organizations consider include categorizing applications to identify which ones are used daily and therefore will be needed remotely. Then organizations should consider the ways remote teams will tap into those resources, Ludwig says, and prioritize securing those connections. “Think about what that access looks like and how users will authenticate to that,” he says.

Joe Vadakkan, global cloud security leader at Optiv, says many enterprises already had some sort of remote plan or remote workforces to some degree. “From their perspective, it’s just about scaling it at a higher level,” he says. That includes increasing VPN access and virtual desktops, which can also mean higher risk.

The move to remote work though increases the need for security awareness training, Vadakkan says, as employees transition from operating within the controls of on-prem infrastructure. For example, an employee at home might use a personal laptop for sake of convenience to download sensitive data or log into company email and other resources. “Those are some of the highest-risk areas from an end-user standpoint,” Vadakkan says.

There are security resources available, he says, with services such as Amazon WorkSpaces and Microsoft’s Virtual Desktops that can be used with quick and minimal set up.

Controls and guardrails need to be established for observability and monitoring in the cloud, Vadakkan says, as organizations make this shift to remote. Security hygiene must improve to keep up as risks escalate, he says. Lapses in human behavior could unwittingly create points of exposure that hackers might attempt to exploit. “During this time, people are going to be spinning up a lot of workloads without security controls,” he says. “That is bound to happen.”

Questions Vadakkan says organizations should discuss include capacity planning and matching rules to the increasing volume of remote work. “Traditionally, enterprises that are risk averse have everything locked out,” he says. “Anything that’s not corporate IP is just shut down. Managing that at a higher scale is on the checklist.”

Companies may have continuity plans in place and Vadakkan says it is important for those plans to include an understanding of data governance as people work from home. He suggests reviewing data loss prevention measures and discuss ramifications of business communications taking place over nonsecure, commercial versions of resources such as Skype, Google Talk, or mobile texting. As people operate outside a corporate network, the chances increase that they might use a plethora of unsecure communication that may move faster or are simpler to access. The problem is that using such conveniences may run the risk of exposing the company to bad actors who have been waiting for someone’s guard to come down. “We are already see massive phishing campaigns going on around COVID-19,” Vadakkan says.

For more on technology and the coronavirus:

Coronavirus: 8 Tech Tips for Working From Home

Fighting the Coronavirus with Analytics and GIS

Developing a Continuity Plan for the Post-Coronavirus World

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
Slideshows
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
News
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll