More and more businesses are migrating to cloud services as part of their digital transformation. However, there’s one area that is often neglected: security.
Some assume that security is the sole responsibility of their Cloud Service Provider (CSP), while others don’t always have visibility into what’s being deployed in the cloud so, if they don’t know what’s there, how can they secure it?
Security in a hybrid cloud environment is even more problematic. Today, many businesses use multiple CSPs for a number of reasons. For example, to benefit from best-in-breed services or prevent vendor lock-in or cloud provider outage. It might even be due to local geo-political considerations. However, if there is no defined cloud strategy, the result can sometimes be an unmanaged and ungoverned cloud deployment.
To combat this complexity, businesses need to first establish a clear cloud strategy, which includes proper rules and governance around how, when and why CSPs are chosen and for what services.
First, any security strategy which encompasses cloud needs to include visibility and monitoring.
Workloads can be deployed at pace both within and across CSPs and, from an operational and security point of view, it can be a real challenge to maintain and manage them on a daily basis. However, restricting deployments could prevent businesses from achieving the full benefits of the cloud which is why it’s vital businesses monitor their cloud deployments from a workload perspective. This includes ensuring security alerts and incidents have the visibility they require and, if applicable, monitoring an organization’s regulatory compliance levels too. Only once businesses achieve visibility of their cloud infrastructure can they begin to safeguard their assets and workloads.
Second, automate to optimize security.
Automation is the key to realizing the consistent levels of security across both on-premise and cloud environments, while also enabling the business to meet its objectives around time saving, agility, scalability and cost effectiveness, in this vastly changing ecosystem.
Unfortunately, all too often traditional security is seen as a cumbersome and not considered part of the automation pipeline. While infrastructure and applications are becoming highly automated, using tools like Terraform, Ansible or Chef, security configurations and controls are often ignored. However, by building security into an automation strategy – as part of the ‘shift left’ paradigm – security can be an integral part of the application lifecycle, rather than an unwanted constraint.
Third, security needs to be less of a barrier and more of a guardrail.
Security has been one of the main reasons businesses have chosen not to migrate to the cloud. Yet, if good practices are put in place, it needn’t hold you back.
Businesses must first determine why they want to move to the cloud, and identify the technical and business drivers for the change. They then need to define a cloud strategy which encompasses every part of the business, from development and security through to legal and operations.
Finally, a joined up and cohesive approach is imperative. If every department goes its own way, there’s no way of knowing if the cloud services being used are in conflict with other services deployed across the organization.
The scalability and flexibility offered by the cloud provides great opportunities for organizations to accomplish their business goals. In this new app-centric world, the rate of change needs to be reflected across all aspects of IT, whether that’s development, infrastructure or security. The cloud plays a vital part in achieving this. However, as outlined, this brings extra responsibilities to businesses, and anxiety to those cybersecurity professionals required to secure it.
A security strategy first approach is key to making sure security matches this new cloud environment and, crucially, grows as an organization’s infrastructure grows, whether that’s on-premise or in the cloud.