So, you may be asking, how do I take advantage of the cloud and keep my IT environment secure? It is indeed possible to achieve a robust security posture in the cloud. But there’s no denying that in many ways, doing so is a lot different than it is on-premises.
Thinking carefully about the following five areas can assist any organization achieve the cloud security it requires:
1. Planning your strategy
At the earliest stages of developing your cloud migration strategy, think broadly when determining who has a stake in cloud security. In addition to IT, include departments such as legal, procurement, human resources, your program management office, compliance, product development, and partners. Having experienced partners and a skilled support staff will be critical to any successful migration strategy. We’d recommend you get them involved as early as possible.
2. The shared responsibility model
When you migrate to the cloud, security moves to a shared responsibility between you and the cloud provider. All the major providers have documentation that spells out how that responsibility is divided. Read that documentation extremely carefully and determine the impact of each model to your migration strategy and impacted teams will operate within each.
The Microsoft Shared Responsibility Model, showing how security is shared between Azure and its customers.
A similar model used by Amazon Web Services (AWS) for its customers.
3. Data protection
Having a clearly defined and enforceable data lifecycle strategy, ensuring data is protected in transit and at rest, is one of the most important aspects of any cloud migration. You need to understand what sensitive data you are migrating and leverage the tools and processes to keep it protected, including cloud access security brokers (CASB).
A cloud access security broker, according to Gartner, “is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed.” CASBs are powerful tools because they give you a centralized view of all your cloud resources.
Many IT teams that deploy a CASB for the first time realize that there are many cloud resources in use that they were previously unaware of, some of which may be placing sensitive data at risk. By using CASBs and other tools, you can regain visibility into where data resides and apply the proper safeguards to keep it protected.
4. Identity and access management
Always use multi-factor authentication (MFA) for privileged user access. Without MFA, you’re one stolen password away from a breach. It’s common for malicious parties to imbed malware in email attachments and waterhole attacks. Consider single sign-on (SSO) solutions that have multi-factor authentication built in.
For example, an employee with access to sensitive cloud resources may click on a malicious email attachment, not knowing a concealed keystroke logger is also included as part of the download. After the malware is installed, the keystroke logger would then be used to steal their password. Without a second form of authentication, the malicious actor would have everything they need to access the cloud environment.
By adding that second form of authentication for login attempts that are unusual — for example, from a different location or at a different time than is normal for a specific user — you can make it much harder for a malicious hacker to execute a successful breach.
5. Cloud-native tools
Tools rationalization is often overlooked during cloud migrations. Don’t assume that tools that work well in on-premises environments will be as effective in the cloud or vice versa.
Taking the time to understand the many cloud-native security offerings provided by the cloud provider’s services and how they will play into your security tools strategy could pay big dividends. For example, the major cloud providers have sophisticated logging and monitoring capabilities built into their platforms. These can help you understand exactly who has done what in your cloud environment — a critical component of security incident response and resolution.
While it’s smart to augment cloud-native security tools with third-party offerings for complete protection, don’t overlook the tools that you can get directly from the cloud provider.
Gary Miglicco, SVP of Security at PCM, has over 40 year of experience as an innovative thinker and advisor to business, government officials and the government industry. His broad range of experience includes business development, operating, and P&L for 30 years of career in Public Services and Commercial industries including SVP and COO roles at Bearing Point, e-Plus and MMC.
Doug Martin, Directory of Security within PCM’s Cyber Security practice and a former CISO, has over 20 years’ experience leading large-scale Cyber Security transformation programs with global footprints. His experience spans a range of industries, including, retail, financial services, transportation and energy.