Digital transformation is revolutionizing how companies operate and compete. An important part of successful digital transformation is cloud security. To be frank, however, the “defend the perimeter” methods of securing on-premises data, applications, systems and environments are not a good fit for this strategy. Why? Because at the foundation of every successful digital journey is cloud computing. Given that much of what you’ve been protecting on-premises will be gone, you have to think differently about the security process and take new or modified steps.
That said, there are certain philosophies and approaches that apply no matter what. Therefore, the considerations you make are a mix of old and new. To help you plan your cloud security, here are 10 things you should take into consideration.
1. Understand the shift
With on-premises installations, you go it alone. But, you have a partner when you host resources on a public cloud service provider’s infrastructure. Who is responsible for what (in terms of security) depends on the cloud service model you use (IaaS or PaaS or SaaS). At the end of the day, you are accountable for ensuring your solution is secure and is meeting compliance obligations. So you should reevaluate your controls for shared responsibility.
Start with the Cloud Security Alliance Cloud Control Matrix (CCM). If you are not familiar with the Cloud Security Alliance they are a non-profit organization which is “dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.” The CCM is a common set of controls and control details for cloud-specific risk. CCM also details updated control specifications for cloud, which is mapped back to major frameworks (Fedramp, NIST, ISO and PCI). The big benefit? CCM reduces the risk of failing to consider important factors when migrating to the cloud.
2. People, process and technology is an adage for a reason
You can apply this tried and true philosophy to cloud security. Start addressing the organizational challenges that security teams face when moving to the cloud. Make sure your cloud security project includes CISO and CIO alignment, process formalization, orchestration and automation. Follow up with continuous training. Design security technology architecture where tools work together collectively to analyze data and automate tasks.
3. A risk-based cloud security approach works
Yes, just as you did with your on-premises systems, you should use this approach with cloud security. Focus on prioritizing information security threats, understanding the techniques that may be employed as part of an attack and evaluating the capability of controls to prevent, detect and respond to an attack. Risk assessments should also be a critical part of developing your risk-based approach to cloud security.
4. Don’t be free with your privileges
Your experience with on-premises security has taught you that you should only grant the minimal set of privileges for an action. This doesn’t change in the cloud. As you build out your cloud security plan, effectively align each user to an appropriate role and associated privileges. Think of it as not giving your plumber access to your car.
5. Harden your operating system and prepare to manage patches
No matter your application, hardened virtual machines help keep you safe in the cloud. You will also need to implement a patch management process. If you have one for your on-premises systems, don’t assume it will apply to the cloud.
6. Keep your anti-virus and anti-malware current
Threats to cloud installations are dynamic, changing regularly and often dramatically. You need real-time protection that identifies and removes viruses, spyware, and other malicious software. You can configure it to send alerts when malicious or unwanted software attempts to install itself or run on your Azure systems.
7. Monitor, monitor, monitor
It’s important to monitor your cloud environments to maintain their availability and performance. There are a number of cloud monitoring solutions available, depending on your environment and needs. I highly recommend one that can monitor hybrid environments and offers an appropriate set of monitoring tools that not only alerts you to potential problems but is designed to promote healthier infrastructure.
8. Look for the anti-patterns
Change is hard. When faced with a problem, your team will use the patterns and practices they know. When it comes to cloud security that may not be the best way. Let me give you an example. What does every security team love? Logs. So, most security teams will want to pull all the data from the cloud down into their on-premises log analytics tool. This is an anti-pattern to look for. Here’s why,
Cloud’s dirty little secret is that data coming in is free but you pay for data transfer going out. So by pulling all of the logs down, you are incurring extra costs. The other thing you are doing is going against the characteristics of cloud. If you think about how NIST defines cloud and its essential characteristics, such as “on-demand self-service” and “rapid elasticity,” you are going against those.
9. Work with DevOps teams to build in security
If there’s any kind of barrier between your developers and the cloud, the developers will go around it. Use native governance, and put guardrails in place. Don’t be a choke point. Also, restrict deployment options for your organization to specific data centers or enable the creation of specific resource types only. Establish metadata tagging to help drive accountability, compliance and more.
10. If you need advanced security and compliance, look for a partner
When you have a security requirement that calls for the next level of security and compliance, look to partners to provide those solutions. My advice in this area is to consider partners who are invested in the ecosystem. They should offer advanced solutions for vulnerability scanning, managed IDS, web application firewalls and compliance, all fully managed in their 24×7 Security Operations Center by a team of experts. Hybrid scenario support is also something to consider.
Be part of the 60%
Experts say that you can increase the security of your cloud deployments by following best practices and deploying the right cloud security technology. According to Gartner, “By 2018, the 60 percent of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures.” If you take into account the top 10 considerations I’ve described, you’ll be well on your way to being part of that 60%.
For information on what you need to do when planning to secure your Azure environment, download “The Azure Security Playbook,” which has best practices for successful Azure security.
Follow us to learn more about cloud security practices and recommendations.