An increasing number of organisations are migrating to cloud services as part of their digital transformation, attracted to models such as IaaS, PaaS and SaaS by the agility, flexibility, scalability and potential cost efficiency they offer. But there’s one area that is often forgotten: security.
Security deserves to be given a prominent role in the transformation process, but it often tends to be left on the sidelines. Some organisations assume that security is the sole responsibility of their cloud service provider (CSP), perhaps because they’re not aware of the shared responsibility model.
Others believe on-premise security practices and security controls can be directly mapped to their cloud workloads, irrespective of how they might have been modified en route to the cloud. Another challenge is the fact that the security team doesn’t always have visibility of what’s being deployed in the cloud. If they don’t know what’s there, how can they secure it?
This all helps to create confusion around how to best secure the cloud. Who is responsible? What levels of security are already provided, and where does security need to be augmented? How does the chosen cloud model affect these lines of responsibility?
A complex environment
Security in a hybrid cloud environment is even more problematic. Organisations have been securing their datacentres for years, implementing a variety of different solutions and ensuring they follow security best practice. For hybrid cloud environments, however, it is questionable whether there’s a one-size-fits-all solution that maintains the right levels of control for both on-premise and in the cloud. This is a challenge that a lot of organisations are facing today.
In fact, the security requirements of on-premise and in the cloud are different, so it’s important to treat them separately when applications and workloads are migrated. However, this ‘two speed’ security strategy can leave the cloud vulnerable if it’s not a joined up approach.
As an organisation’s cloud infrastructure and assets are directly accessible over the internet, it’s a vulnerable attack surface through which malicious actors can attempt to gain access, potentially exposing the datacentre too. This is why it’s imperative that the level of security in the cloud is the same as in the datacentre – or even higher, given the increased visibility and accessibility of cloud services.
Managing the multi-cloud
Today, many organisations – and many departments within them – use a range of different cloud providers. This could be in order to benefit from best-in-breed services, or to prevent vendor lock-in or cloud provider outage. It might even be due to local geo-political considerations. Where there is no defined cloud strategy, however – especially if IT is not directly involved – the result can sometimes be an unmanaged and ungoverned cloud deployment. This will likely involve different management tools, different training requirements and a diverse way of securing the cloud solutions too.
To combat this complexity, an organisation needs to establish a clear cloud strategy, which includes proper rules and governance around how, when and why cloud service providers are chosen.
You need to monitor your cloud
Any security strategy which encompasses cloud, whether hybrid cloud or multi-cloud, needs to include monitoring.
Workloads can be deployed at pace both within and across cloud service providers and, from an operational and security point of view, it can be a real challenge to maintain and manage them on a daily basis. Restricting deployments will risk preventing organisations from achieving the full benefits of cloud, however. So it is vital that organisations monitor their cloud deployments from a workload perspective, ensuring security alerts and incidents have visibility and, if applicable, monitoring regulatory compliance levels too. Only once you achieve visibility of your cloud infrastructure can you begin to safeguard its assets and workloads.
Automate to optimise security
Automation is the key to realising the consistent levels of security across both on-premise and cloud environments, while also enabling the business to meet its objectives around time saving, agility, scalability and cost effectiveness, in this vastly changing ecosystem.
Unfortunately, all too often traditional security is seen as a cumbersome and not considered part of the automation pipeline. While infrastructure and applications are becoming highly automated, using tools like Terraform, this Infrastructure as Code methodology can often ignore security configurations and controls. However, by building security into an automation strategy – as part of the ‘shift left’ paradigm, rather than being ‘bolted on’ – security can be an integral part of the application lifecycle, rather than an unwanted constraint.
Remove security as a barrier
Security has been one of the main reasons organisations have chosen not to migrate to the cloud. If good practices are put in place, however, it should no longer be a barrier.
Organisations must first determine why they want to move to the cloud, and identify the technical and business drivers for the change. They then need to define a cloud strategy which encompasses every part of the business, from development to security, from legal to operations.
Finally, a joined up, cohesive approach is imperative: if every department goes its own way, there’s no way of knowing if the cloud services being used are in conflict with other services deployed across the organisation, at odds with the technical constraints of the business, or – more seriously – whether they’re undermining the corporate strategy.
The scalability and flexibility offered by the cloud provides great opportunities for organisations to accomplish their business goals. In this new app-centric world, the rate of change needs to be reflected across all aspects of IT, whether that’s development, infrastructure or security. Cloud plays a vital part in achieving this. However, as outlined, this brings extra responsibilities to an organisation, and anxiety to those cybersecurity professionals required to secure it.
A security strategy first approach is key to making sure security moulds to this new cloud environment and, crucially, grows as an organisation’s infrastructure grows, whether that’s on-premise or in the cloud.
Application and Cloud Security Practice Lead (UK) at NTT Security