Until recently, most cloud migration decisions were made without the benefit of the CISO's guidance.
In an effort to take advantage of cloud efficiencies, line-of-business users have moved critical assets and confidential data to the cloud without an understanding of the associated security implications. However, with the ever growing number of attacks targeting cloud environments, organizations are now realizing the need to reconsider security and risk in cloud and hybrid IT environments. The following is a list of questions and considerations that an organization should take into account, in order to ensure a successful and secure migration into the cloud.
1) Evaluate the justification for moving to the cloud
What is the justification behind the existing hybrid IT environment? In many cases, the cost savings and agility of the cloud proves a strong motivator for certain applications. Whatever the reason, make sure that C-level executives understand and accept the risks with respect to the advantages and cost savings that the cloud affords – especially when it comes to policy, training, and third parties.
2) Understand the risks and threats associated with cloud adoption and implementation
Understanding the significant new attack vectors of cloud computing is the first step in protecting from them. Therefore, approaching cloud security from a risk modeling perspective will arm organizations with a strategic methodology for designing an effective security practice around their cloud implementations. In order to define the necessary security parameters, approach each potential component of the cloud implementation as a potential avenue for attack by asking the following three questions:
- What are the threats?
- What is the exposure?
- What is the threshold of risk?
Next, apply these questions to each of component of the cloud risk model:
- Interface Risks – These are risks associated with functional interfaces within cloud environments, vendor servers, and datacenters. Review the history, documented vulnerabilities, and consumer responsibility of cloud providers and their partners.
- Vendor Insider Risks – Understand the level of risk involved should a cloud provider insider wish to do damage or steal valuable data or assets.
- Corporate Insider – The easiest method of accessing internal data is being on the inside. Determine the level of risk associated with insider access to information and assets.
- Control Gaps – Not all devices and measures used to protect the network can be used in cloud environments.
3) Revisit Policies and Data Classification
Once the risks and threats associated with the cloud are determined, and especially in those situations where a cloud migration has already occurred, organizations should consider revisiting the policies and procedures that accompanied that effort. Confidential data that was once stored on-premises is now hosted and accessible via the cloud, and therefore, new security policies may need to be implemented to ensure its protection. Additionally, for those organizations where cloud migration of various applications was managed by "shadow IT" groups, understanding where critical assets are being stored, how they are being protected, and any compliance risks associated, is vital.
4) Retrain employees
In most cases, cloud adoption and hybrid IT environments require a new mindset for an organization's employees. When employees have more power to access data in the cloud, they need heightened security awareness. Two-factor authentication is the gold-standard for cloud and hybrid IT environments, but employees must be trained about its importance to overall security, especially when they are used to single-factor. Vendors, business partners, and third parties may require training as well. Additionally, ensuring third party migrations to the cloud do not pose risk may be necessary.
At the end of the day, a security breach is still a security breach, regardless of whether it originates in a cloud environment or in a traditional IT environment. Flexibility, speed and go-to-market appeal are all attractive advantages of hybrid IT, but organizations must adopt a defined security strategy that accounts for cloud and on-premises assets.
Even if shadow IT or hasty deployments have put some data at risk, it's never too late to reassess and make strategic and thoughtful changes. Understanding the risks associated with cloud environments and the adoption of a risk model perspective are critical in designing an effective cloud security practice. Data classification, risk assessment, policy and architecture design can all enhance the protection of critical data in the cloud and keep an organizations business running with confidence. Remembering that the same principles for sound security still apply – whether on premises, in the cloud, or both.