To say that cloud computing is hot is old news. A majority of organizations have either migrated or are considering migrating their core computational and storage workloads to the public cloud. Gartner predicted that the cloud market was expected to grow by 17.5% in 2019 and exponentially for the next 3 years.
Some have yet to migrate or are thinking about migrating but are hesitant to make the decision. Their major concern lies in the fear of the “unknown” and a perception that the Cloud is generally not secure. Let’s address these concerns by discussing three key points in an order that will help shape your decision:
- Cloud Responsibility
- Cloud Breaches
- Cloud Adoption provides Resilience
Cloud Responsibility
Since AWS has been the leader in the industry, let’s take a moment to understand their Shared Model in regards to cloud security. The AWS Shared Model outlines the roles and responsibilities in a way that is easy to follow and implement. While AWS is responsible for “Security of the Cloud,” such as protecting the infrastructure, it is the customer’s job to make sure that “Security in the Cloud” is achieved by managing data, classifying assets, and applying appropriate rules and permissions for configurations of the application layer and the software-defined network topology. AWS’s infrastructure security measures simplify your life – removing the “undifferentiated heavy lifting” aspects of security, which is common for everyone and shouldn’t be part of your company’s “secret sauce.” This doesn’t, however, absolve you from your responsibility for thinking through, configuring, and implementing core security practices appropriate for your implementations.
Cloud Breaches
Let’s look at some of the high profile cloud breaches that have occured as of late. The recent Orvibo breach where passwords and password reset information for home security systems were left out in the open comes to mind. Because of the interoperability of the cloud, with one switch you can leave a great deal of your infrastructure open to the public. A 3rd party vendor working for Verizon committed a configuration blunder on an AWS S3 bucket, which exposed names, addresses, account details, and pin numbers of millions of US-based Verizon customers.
But was this really a cloud shortcoming? No, it was a result of a weak 3rd party program. Other cases at Target, Home Depot and Apple iCloud also received a lot of media scrutiny. However, most of these breaches were a result of human error and/or weakness in the process, not shortcomings in the cloud. For example, in the case of Target and Home Depot, hackers were only able to get ahold of personal information by bypassing the cloud infrastructure via third-party vendors. The data in the cloud was simply still too secure. In a nutshell, we need to understand that security issues outside the cloud (like with third-party vendors) are similar to those within the cloud and include well-known challenges like 3rd Party Risk, Data Governance, etc.
Cloud Breaches
Cloud adoption is one of the most significant technological shifts that your organization will face, but there must be a reason why a majority of the most innovative companies are going down that path. They treat this choice not as an option, but a mandate. Minimum Viable Cloud (MVC) is a great starting point for your first production cloud as it treats the whole platform as a piece of software. Most of the big CSPs (Cloud Service Providers) provide this utility through automation programming.
Hence, the new mantra for quick and scalable adoption is “infrastructure is deployed as code”. It means to provision and manage IT infrastructure through the use of source code rather than through standard operating procedures and manual processes. What’s the benefit of that? Well, with the ever-improving toolset you are now able to manage configurations more quickly and deploy infrastructure components efficiently, consistently, and in a repeatable fashion. This approach helps architect, build, and operate large-scale systems that are resilient in nature, even while taking advantage of scalability, flexibility and increased agility.
Companies like Netflix have pioneered this approach; they release thousands of lines of code a day and, though you may not be ready for that pace, plan for change and how to learn from errors and failure. The cloud helps facilitate this, but developing good processes to enable these methods is paramount. A dedicated cloud security program keeps these early implementations for descending into chaos.
An Effective Cloud Security Program
Instead of relying purely on conventional security methods, cloud security programs need to be developed so that they cater to (a) Business needs for cloud adoption, (b) Shared-responsibility models, and (c) Compliance requirements. A Cloud Security Operating Model can achieve this while demonstrating a way to optimize the organizational and current security processes for cloud adoption, and while helping them work together to secure the benefits of the cloud. These models typically includes elements like:
A) Cloud Security Strategy
- Why do we need a new Cloud Security Program?
- What are the Key Goals?
- Understanding Cloud Ecosystems & the Regulatory Landscape
B) Cloud Security Governance
- Strategic Alignment
- Key Stakeholders Identification
- Resource Allocation
- Metrics
C) Key Services and Processes
- Cloud Risk Management
- Cloud Controls Management
- Data Governance
- Training and Cloud Awareness
An Effective Cloud Security Program
By Biljana Cern
By infoedge