Cloud Security Planning in the Time of Social Distancing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

08:00 AM
Connect Directly

Cloud Security Planning in the Time of Social Distancing

With organizations compelled to push work out to remote, cloud security becomes a very tangible matter.

The rapid move to remote work can raise security questions for organizations that must now lean heavily on their cloud resources. In some cases, teams may be relying on familiar systems and platforms that were established well in advance because of accelerated digital transformation and cloud migration. For other organizations, this may feel like a trial by fire. Security solutions company Optiv and enterprise software developer Atlassian offer some insight on what organizations should consider when it comes to cloud security concerns during the COVID-19 outbreak.

Image: Mikko Lemola-AdobeStock
Image: Mikko Lemola-AdobeStock

Adrian Ludwig, Atlassian’s chief information security officer, says his company has employees around the world and the majority of the business is cloud based. “With two exceptions, we don’t run our own data centers,” he says. Employee laptops make up the primary hardware used by Atlassian, Ludwig says, and in recent years, the company put security measures in place to authenticate devices people use. Even with those steps, he says the company still ran into some hiccups in recent weeks when the entire team was directed to work from home. “The capacity we had for our VPN was nowhere near as large as it needed to be,” Ludwig says. “That was found out in a rolling cascade of failures.”

This led to changes in routing, he says, in order to restore secure access to services. Atlassian follows the zero-trust networking principle with different corporate applications assigned varying levels of protection. “Our most sensitive applications are only accessible from a corporate device,” Ludwig says, with less-sensitive areas available through personal devices.

Adrian Ludwig, AtlassianImage: Atlassian
Adrian Ludwig, Atlassian

Image: Atlassian

Security steps that he recommends organizations consider include categorizing applications to identify which ones are used daily and therefore will be needed remotely. Then organizations should consider the ways remote teams will tap into those resources, Ludwig says, and prioritize securing those connections. “Think about what that access looks like and how users will authenticate to that,” he says.

Joe Vadakkan, global cloud security leader at Optiv, says many enterprises already had some sort of remote plan or remote workforces to some degree. “From their perspective, it’s just about scaling it at a higher level,” he says. That includes increasing VPN access and virtual desktops, which can also mean higher risk.

The move to remote work though increases the need for security awareness training, Vadakkan says, as employees transition from operating within the controls of on-prem infrastructure. For example, an employee at home might use a personal laptop for sake of convenience to download sensitive data or log into company email and other resources. “Those are some of the highest-risk areas from an end-user standpoint,” Vadakkan says.

There are security resources available, he says, with services such as Amazon WorkSpaces and Microsoft’s Virtual Desktops that can be used with quick and minimal set up.

Controls and guardrails need to be established for observability and monitoring in the cloud, Vadakkan says, as organizations make this shift to remote. Security hygiene must improve to keep up as risks escalate, he says. Lapses in human behavior could unwittingly create points of exposure that hackers might attempt to exploit. “During this time, people are going to be spinning up a lot of workloads without security controls,” he says. “That is bound to happen.”

Questions Vadakkan says organizations should discuss include capacity planning and matching rules to the increasing volume of remote work. “Traditionally, enterprises that are risk averse have everything locked out,” he says. “Anything that’s not corporate IP is just shut down. Managing that at a higher scale is on the checklist.”

Companies may have continuity plans in place and Vadakkan says it is important for those plans to include an understanding of data governance as people work from home. He suggests reviewing data loss prevention measures and discuss ramifications of business communications taking place over nonsecure, commercial versions of resources such as Skype, Google Talk, or mobile texting. As people operate outside a corporate network, the chances increase that they might use a plethora of unsecure communication that may move faster or are simpler to access. The problem is that using such conveniences may run the risk of exposing the company to bad actors who have been waiting for someone’s guard to come down. “We are already see massive phishing campaigns going on around COVID-19,” Vadakkan says.

For more on technology and the coronavirus:

Coronavirus: 8 Tech Tips for Working From Home

Fighting the Coronavirus with Analytics and GIS

Developing a Continuity Plan for the Post-Coronavirus World

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll