Finding Your ‘North Star’ in Cloud Computing Security

Cloud computing has undergone a similar journey to other introductions of popular technology: Embrace first, ensure later. Cloud transformation has mostly been facilitated by IT functions at the request of the business, with security functions often taking a secondary role. In some organizations, this has been due to politics and unshakeable trust in the cloud services providers (CSPs), for example, AWS, Microsoft, and GCP.

For others, it has been because security functions only knew and understood on-premises deployments and simply didn’t have the knowledge and capability to securely adapt to cloud or hybrid architectures and translate policies and processes to the cloud. In fortunate organizations, this has only led to stalled migrations while the security and IT organizations caught up. For unfortunate organizations, this has led to breaches, business disruption, and loss of data.

Cloud security can be complicated. However, more often than not, it is ridiculously simple — the misconfigured S3 bucket being a prime example. It reached a point where malefactors could simply look for misconfigured S3 buckets to steal data; no need to launch an actual attack.

It’s time for organizations to take a step back and enhance cloud security, and the best way to do this is to put security at the core of cloud transformations, rather than embracing the technology first and asking security questions later. Here are four steps to correct the course and implement a security-centric cloud strategy:

  • Set a “North Star” — Develop an overall cloud strategy that documents the desired cloud security state and target state architecture. Then, use this “north star” to guide decisions on putting the right people, processes, and technologies in place to achieve this desired state of cloud security.
  • Establish Governance Processes — Just because a company implements its desired state of security when executing a cloud security plan doesn’t mean things will stay that way. If left unchecked and unmonitored, security will undoubtedly drift from the initial guardrails over time. This introduces security gaps and vulnerabilities that cybercriminals can exploit. To prevent this from happening, implement cloud governance and operating models that will help maintain the “north star” and continually extract value from the cloud. This governance model should draw on talent and input from across the entire organization, and not just the security function.
  • Build a Business Case — To support the IT strategy, a financial case should be built to show business leaders the benefits of cloud services and cloud security — specifically, how it will mitigate risk, improve efficiency, and reduce costs (saving the company from having to spend thousands of dollars to recover from an attack). As part of this return on investment (ROI) case, technology rationalization (reconciling duplicative or unneeded technologies and ensuring maximum use out of existing tools) will be key.
  • Build a Migration Plan — Once a strategy is set, a migration plan will enable the real world changes required to achieve the target state of cloud computing security.

Resolve Cloud Incompatibilities

For multi-cloud users, there is one other aspect of cloud security to consider. Most CSPs are separate businesses, and their services don’t work with other CSPs. So, rather than functioning like internet service providers (ISPs) — where one provider lets you access the entire internet, not just the sites that the ISP owns — CSPs operate in silos, with limited interoperability with their counterparts (e.g., AWS can’t manage Azure workloads, security, and services, and vice versa). This is problematic for customers because, once more than one cloud provider is added to the infrastructure, the efficacy in managing cloud operations and cloud security starts to diminish rapidly. Each time another CSP is added to an organization’s environment, their attack surface grows exponentially, unless secured appropriately.

It’s up to each company to take steps to become more secure in multi-cloud environments. In addition to developing and executing a strong security strategy, they also must consider using third-party applications and platforms such as cloud-native application protection platforms (CNAPPs), cloud security posture management (CSPM), infrastructure as code (IaC), and secrets management to provide the connective tissue between CSPs in hybrid or multi-cloud environments. Taking this vital step will increase security visibility, posture management, and operational efficiency to ensure the security and business results outlined at the start of the cloud security journey.

Security Takes Continuous Effort

It should be noted that a cloud security strategy — like any other form of security — needs to be a “living” plan. The threat landscape and business needs change so quickly that what is helpful today may not be helpful tomorrow. To stay in step with your organization’s desired state of security, periodically revisit cloud security strategies to understand if they are delivering the desired benefits and make adjustments when they are not.

Cloud computing has transformed organizations of all types. Adopting a strategy for securing this new environment will not only allow security to catch up to technology adoption, it will also dramatically improve the ROI of cloud computing.

Ed Lewis is Secure Cloud Transformation Leader at Optiv.

Leave a Reply

Your email address will not be published. Required fields are marked *