Stepping into the Cloud Requires New IT Security Tactics
Adopting a strategy to embrace the cloud should include adequate plans to control and monitor the new environment.
As organizations chase advantages made possible through cloud transformation, it is possible they might tread in spaces their security protocols are not prepared for. Many executives and IT teams may be under pressure to advance cloud migration strategies, but such a push can leave some considerations overlooked.
Security measures that served on premise might not cover all the nuances of cloud computing, hybrid cloud, and multi-cloud environments — if they are not adapted for the cloud. Some industry players have a few perspectives on what to watch for and how to mitigate security exposure when making the migration.
The competitive advantages of the cloud include flexibility and potentially lower costs, yet there are new risks that also can come into play. The cloud is also a frontier for a growing number of threats, says Sash Sunkara, CEO and co-founder of RackWare, a provider of a hybrid cloud management platform. That makes security crucial as organizations adopt multi-cloud or hybrid strategies, she says.
IT shops may have issues if developers put sensitive business data in the public cloud without following proper protocols as they work. A focus on security is not intended to limit their usage of new technology, Sunkara says, however there is a need to maintain control. “Shops today already have processes to harden [on-prem] applications to make sure they don’t have holes or become security threats,” she says. Adapting such security resources for the cloud can be part of the solution.
When old methods are not enough
There can be some confusion, however, as in-house IT teams work to secure hybrid and multi-cloud environments, says Tim Woods, vice president of technology alliances at network security management company FireMon. “About half the teams we interface with — traditional IT security, infrastructure, and firewall management team — are taking responsibility for the cloud,” he says.
Such teams usually collaborate with DevOps and application deployment teams as well as talk to customers they may have not dealt with before. The speed at which the businesses want to deploy to the cloud can surpass their teams’ ability to secure their environments. “Security teams are struggling to adapt to that,” Woods says.
Lost in translation
Though there might be ways to extend tools and security from on-prem to the cloud, he says some of those features might not translate neatly to the cloud. Such concerns become top of mind for CIOs and CEOs as they review strategic technology initiatives. “They go through this process of needing to quantify their return on security investments for all the different tools they have,” Woods says. That means determining which tools bring value in achieving goals and which ones need to be replaced.
The need to identify and close vulnerabilities is exacerbated by a talent pool shortage in cloud expertise and security, Woods says. Engineers are trying to update their tools and skillsets to meet this demand, but many companies are still on the hunt for such talent. “Some companies are just looking for one or two really good people to train the rest of the team,” he says.
Putting the IT house in order
Establishing order is essential, Woods says, because of the potential for uncoordinated cloud sprawl, particularly in multi-cloud environments. This can include bloated, duplicate rules for firewalls that are introduced along the way. As the complexity of environments increases, if there is a fragmentation of responsibilities and a lack of consistency in following a centralized security policy, the probability of human error escalates as well. Security vendors are creating blueprints, Woods says, that organizations can follow to help establish best practices.
Sunkara says RackWare can create templates based on the security that surrounds on-prem applications that can be used in cloud. It is a way to extend the comfort of security protocols established within the organization beyond their data centers to the cloud. That means making sure there are hardened images, encryption, and rules on who gets access to what and where. This should include an audit trail that tracks usage to better identify and resolve threats.
Enterprises may have IT protocols and multilayered security strategies in place on premise. That should not change in the cloud, Sunkara says. “It really should be an extension of what they do today,” she says. “You should have the same type of control and processes.”
Simply adopting the security practices of a cloud provider, and assuming those practices will meet all needs, can leave an organization at risk of exposure, which can lead to regrettable consequences. “Once you’re hit, it’s definitely hard to go back,” Sunkara says.
Assessing the weaknesses
It may be worthwhile for an organization to conduct a bit of security “triage” to better fight threats, says Todd Matters, chief architect and co-founder of RackWare. One of the more insidious security threats faced in the cloud is ransomware, he says. “It’s not just about intrusion and stealing your data,” Matter says. “It’s actually about kidnapping your data.”
A triage process can help enterprises better understand what the most sensitive applications will be in a hybrid cloud environment as well as any inherent vulnerabilities in those applications. There are ways to build robust cloud security from existing security infrastructure, he says. Most data centers have already established communication networks and security mechanisms within an organization, he says. That can be applied, with some work, to the hybrid cloud. “We’re really not starting from scratch,” he says.