Seven security mistakes organisations make when adopting cloud
Wed 29 Apr 2020 | Roy White
The COVID-19 pandemic is forcing businesses to tackle a variety of sudden technical and organisational challenges. Some may need to scale up remote working capability, others may need to address demand spikes on critical applications. Some may even need to pivot their entire business.
The use of public cloud may well provide the capability to rapidly address these challenges, to help extend the current operational environment in a hybrid model or create an entirely new footprint within the cloud. While there certainly are benefits to accelerating the move to the cloud at this critical point, there are also many risks to be aware of.
An understanding of cloud best practices, especially regarding security and governance, should be at the forefront of any changes.
The following are common mistakes organisations make when adopting cloud:
Mistake #1: They approach security the same way they do for on-premises data centres
An on-premises environment is typically owned 100% by an organisations’ internal security team and protected by firewalls and perimeter-based solutions like IDS/IPS to form a trusted network. In a cloud environment, there is no concept of assuming data will have a moat around it. CSPs know this and they purposely build their solutions with security in mind from the foundation with a defense-in-depth model delivered by security being applied across multiple layers.
When moving to a public cloud, IT leaders should take time to review their entire IT architecture and carefully determine what workloads could most benefit from a move to the cloud.
Mistake #2: They don’t view security as a shared responsibility
When organisations move to the cloud, they often assume the CSP will handle all aspects of security. But moving to a cloud doesn’t absolve your organisation of security responsibilities, and accountability will always reside with the organisation. Security in the cloud is a shared responsibility, and all parties must play their part.
To keep data secure, an organisation must have the right capabilities in place to effectively manage risks. Capabilities are formed of people, processes and eventually tools. Cloud Governance policies and security processes need to be in place to provide an organisation with the guardrails it needs to operate effectively without putting the system at risk. Finally, tools should help support all of the above – providing detailed analytics on usage to prevent data risk and compliance violations, drive enforcement and quarantine if a violation occurs, and provide real-time threat intelligence.
Mistake #3: They don’t secure and restrict access to the cloud platform
Access control is a vital component of cloud security. Only the relevant people should have access to the cloud platform itself and should have only the level of rights needed to carry out their role. To maintain proper security, an enterprise should adopt a privileged access protocol.
In other words, identify all possible forms of access that are required for system and data and ensure that the controls applied meet the system requirements from open access to public website type data to authenticated access for internal users applications to highly controlled privileged access accounts which may have access to the heart of your data and applications. Then, put processes in place to mitigate exposure and ensure only the right users can access loud data and applications including managing the full account cycle from creation to deletion of no longer needed accounts
Mistake #4: They don’t focus on the security of the entire supply chain
Threats from external supply sources come in many forms. For example, many organisations now use publicly available libraries on GitHub to develop applications faster. But, using code of unknown provenance, if not fully understood and verified, can lead to insecure applications.
While this issue isn’t restricted to organisations that use cloud, it is a growing challenge among enterprises. It’s not always easy to verify the security of the code you use, but doing so can ensure you don’t open your company up to security problems. Make sure whatever tools you utilise from an outside source – whether it’s code, hardware, software or something else – doesn’t introduce new security issues.
Mistake #5: They don’t work as a team
Today’s heightened threat environment requires everyone to take responsibility for security. Rather than work in a silo, an enterprise security team should collaborate with their CSP to develop an enterprise-wide security strategy. The support and external knowledge a CSP offers can help the enterprise keep abreast of the latest threats and help it address potential resource, skill or time shortages.
This shared responsibility model must also be applied within the organisation itself. Leadership teams should work with developer teams and other internal IT personnel to share security knowledge and responsibilities. This is especially important as more organisations utilise hybrid cloud models. A single security team is not enough to protect a combination of public cloud, private cloud, and on-premises IT environments.
Mistake #6 They don’t have the right skills
As we have established throughout this post, security in the cloud requires a very different approach to security running on a physical network. A different approach demands a different set of skills. Your traditional security team would be isolated, working on policies, configurations, and protocols separate from the rest of the IT team.
When you are in the cloud you need your security professionals to be able to deploy and manage cloud-native solutions with an understanding of the distribution and elasticity of cloud architectures. They also need to be integrated with your Development and Operations teams (DevSecOps) ensuring security is built into applications and infrastructure. This requires a technical skill set and awareness beyond just that of network security strategies and traditional security tools.
Mistake #7 They don’t balance speed with risk mitigation
This is particularly relevant in the current climate in response to COVID-19 where organisations are rapidly upscaling or adopting new tools and working practices. While this rapid change may be necessary, be wary that there will also be a lot more opportunist, bad-actors, trying to capitalise on business trying to overcome their current challenges.
At this time it is important to remind colleagues of security best practices and risk management. Crisis events are prime time for Social Engineering ploys like Phishing emails that play off people’s fear and desire for more information.
The goal is to achieve the right balance of acting fast while not exposing your business to unnecessary risk.