Every organization, for one reason or another, has or is looking to move IT components to the cloud. In many cases there are significant benefits such as quicker or more standardized implementation of technologies and applications that drive such decisions. Ensuring the security of cloud services can be tricky, though, and may require more and different thinking.
Faster and More Agile
Putting aside cost reduction, which is often the leading reason for organizations to consider moving to cloud services, another popular driver is speed and ease to implement new systems. Standing up a new server, application, or even an entire network of systems may only be a matter of a few clicks of the mouse. The temptation for IT teams to be “agile” like their application development colleagues can be overwhelming, if not mandated, for many CIOs. As is true in many other aspects of life – with speed comes risk.
More traditional security procedures such as “tollgate” vulnerability scanning and source code reviews can struggle to keep up with the dynamic ability to provision cloud systems quickly and almost effortlessly. As a result, some of the cloud providers have tools and integrations to assist organizations with ensuring that cloud components are being assessed for vulnerabilities. For example, Microsoft has capabilities within its Azure Security Center to detect virtual machines that may not have a vulnerability scanning solution/capability installed. Assuming IT and security teams are monitoring for new instances being created in the Azure environment, which is a separate requirement in itself for proper cloud management practices; they can use Azure’s built-in integrations to set up vulnerability scanning with popular vendors such as Qualys and Rapid7.
"The key to ensuring that the benefits of cloud outweigh all challenges is to understand and invest in the right security tools and features to support cloud services, clearly define what the provider is and is not responsible for, and regularly monitor and audit the provider’s capabilities"
The first takeaway from this is to ensure that your IT and security teams have governance (monitoring and or approval of) any new component being created in the cloud, much like they should already have for similar new systems in a traditional production environment. For organizations who are moving to the cloud for cost reduction/containment reasons this “proactive auditing” is also instrumental in helping contain costs associated with new virtual machine instances and associated software licensing.
The second takeaway is to evaluate and plan your cloud environments with new security functionality (or integrations) in mind. Do not assume that every cloud environment will easily work or integrate with your existing security tools – many of which may be tailored to on-premise systems or private data centers. Evaluate and be financially and operationally prepared for the possibility of augmenting or replacing some of your existing security tools or proceed. Be open to considering tools that are offered by the cloud provider that, even if they are not the brand name you would prefer, might be better integrated into their provisioning/monitoring process.
A Watchful Eye
In addition to ensuring the right technologies in place to help secure a cloud environment there is also a need to make sure appropriate roles and responsibilities are defined, and monitored, between a customer and their cloud provider. This may seem like a trivial and almost elementary statement to make but it is not uncommon to hear customers reflect on how the success or failure of their cloud experience was based on proper management of expectations.
In the past it was not unusual to attempt to defer or transfer liability, especially involving critical areas like security, to the cloud provider as part of the service agreement. While in a legal sense this still may be standard practice it has already proven in the “court of public opinion” that both parties – the customer and the cloud provider – are likely to be held accountable for breaches or security incidents. It is imperative to spend considerable time and attention understanding and negotiating the agreed-upon services and obligations of both parties to ensure nothing is left uncertain.
When establishing an agreement for cloud services make sure that all the same tasks and responsibilities normally handled by internal employees are identified and assigned to either your organization or the cloud provider. This should include, but not necessarily be limited to, activities like patch management, performance and security event monitoring, the authorization process for system changes/provisioning, event log retention, architectural and configuration approvals and health checks, and user provisioning/reviews.
Not only should responsibilities be clearly defined and assigned between the two parties but customers should make sure a cloud provider understands any specific expectations the customer has for how the cloud provider must perform its duties. Cloud providers are typically well aware of and versed in security regulations, standards and industry-accepted practices. However, it is not advised to assume that the cloud provider will interpret or implement controls to support those regulations and standards with the same perspective or importance that the customer might have.
A prime example might be a cloud provider’s policies around log handling and retention. Many customers might be satisfied with the cloud provider setting and managing how, and for how long, system log data is managed. For a customer in a highly regulated industry such as financial services or healthcare, though, the customer may have specific obligations set by regulators or oversight bodies regarding log data.
Cloud services can be beneficial for a variety of reasons including efficiency of IT implementation, faster IT tooling and growth, and even greater security capabilities. The key to ensuring that the benefits of cloud outweigh all challenges is to understand and invest in the right security tools and features to support cloud services, clearly define what the provider is and is not responsible for, and regularly monitor and audit the provider’s capabilities.