Stepping into the Cloud Requires New IT Security Tactics - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

08:00 AM
Connect Directly

Stepping into the Cloud Requires New IT Security Tactics

Adopting a strategy to embrace the cloud should include adequate plans to control and monitor the new environment.

As organizations chase advantages made possible through cloud transformation, it is possible they might tread in spaces their security protocols are not prepared for. Many executives and IT teams may be under pressure to advance cloud migration strategies, but such a push can leave some considerations overlooked.

Security measures that served on premise might not cover all the nuances of cloud computing, hybrid cloud, and multi-cloud environments -- if they are not adapted for the cloud. Some industry players have a few perspectives on what to watch for and how to mitigate security exposure when making the migration.

Image: Monster Ztudio - Adobe Stock
Image: Monster Ztudio - Adobe Stock

The competitive advantages of the cloud include flexibility and potentially lower costs, yet there are new risks that also can come into play. The cloud is also a frontier for a growing number of threats, says Sash Sunkara, CEO and co-founder of RackWare, a provider of a hybrid cloud management platform. That makes security crucial as organizations adopt multi-cloud or hybrid strategies, she says.

IT shops may have issues if developers put sensitive business data in the public cloud without following proper protocols as they work. A focus on security is not intended to limit their usage of new technology, Sunkara says, however there is a need to maintain control. “Shops today already have processes to harden [on-prem] applications to make sure they don’t have holes or become security threats,” she says. Adapting such security resources for the cloud can be part of the solution.

When old methods are not enough

There can be some confusion, however, as in-house IT teams work to secure hybrid and multi-cloud environments, says Tim Woods, vice president of technology alliances at network security management company FireMon. “About half the teams we interface with -- traditional IT security, infrastructure, and firewall management team -- are taking responsibility for the cloud,” he says.

Such teams usually collaborate with DevOps and application deployment teams as well as talk to customers they may have not dealt with before. The speed at which the businesses want to deploy to the cloud can surpass their teams’ ability to secure their environments. “Security teams are struggling to adapt to that,” Woods says.

Lost in translation

Though there might be ways to extend tools and security from on-prem to the cloud, he says some of those features might not translate neatly to the cloud. Such concerns become top of mind for CIOs and CEOs as they review strategic technology initiatives. “They go through this process of needing to quantify their return on security investments for all the different tools they have,” Woods says. That means determining which tools bring value in achieving goals and which ones need to be replaced.

The need to identify and close vulnerabilities is exacerbated by a talent pool shortage in cloud expertise and security, Woods says. Engineers are trying to update their tools and skillsets to meet this demand, but many companies are still on the hunt for such talent. “Some companies are just looking for one or two really good people to train the rest of the team,” he says.

Putting the IT house in order

Establishing order is essential, Woods says, because of the potential for uncoordinated cloud sprawl, particularly in multi-cloud environments. This can include bloated, duplicate rules for firewalls that are introduced along the way. As the complexity of environments increases, if there is a fragmentation of responsibilities and a lack of consistency in following a centralized security policy, the probability of human error escalates as well. Security vendors are creating blueprints, Woods says, that organizations can follow to help establish best practices.

Sunkara says RackWare can create templates based on the security that surrounds on-prem applications that can be used in cloud. It is a way to extend the comfort of security protocols established within the organization beyond their data centers to the cloud. That means making sure there are hardened images, encryption, and rules on who gets access to what and where. This should include an audit trail that tracks usage to better identify and resolve threats.

Sash Sunkara, RackWare
Sash Sunkara, RackWare

Enterprises may have IT protocols and multilayered security strategies in place on premise. That should not change in the cloud, Sunkara says. “It really should be an extension of what they do today,” she says. “You should have the same type of control and processes.”

Simply adopting the security practices of a cloud provider, and assuming those practices will meet all needs, can leave an organization at risk of exposure, which can lead to regrettable consequences. “Once you’re hit, it’s definitely hard to go back,” Sunkara says.

Assessing the weaknesses

It may be worthwhile for an organization to conduct a bit of security “triage” to better fight threats, says Todd Matters, chief architect and co-founder of RackWare. One of the more insidious security threats faced in the cloud is ransomware, he says. “It’s not just about intrusion and stealing your data,” Matter says. “It’s actually about kidnapping your data.”

A triage process can help enterprises better understand what the most sensitive applications will be in a hybrid cloud environment as well as any inherent vulnerabilities in those applications. There are ways to build robust cloud security from existing security infrastructure, he says. Most data centers have already established communication networks and security mechanisms within an organization, he says. That can be applied, with some work, to the hybrid cloud. “We’re really not starting from scratch,” he says.

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll