Even before the events of 2020 applied a new set of pressures to businesses around the world, cloud adoption was expanding rapidly. Organizations increasingly sought the flexible pay-as-you-go cost models that the cloud offers, along with the business agility that the cloud’s scalability supports.
But the COVID-19 crisis greatly accelerated these trends. Cloud spending grew by 37% to $29 billion during the first quarter of 2020 alone, and it’s anticipated that as many as 55% of enterprise workloads will be in the public cloud by the end of 2021. Nonetheless, cloud security remains a significant challenge for IT decision-makers, many of whom are struggling to recruit talent with scarce and highly sought-after expertise in cloud security and governance.
Make no mistake about it: security is different in the cloud. Maintaining the same level of visibility and control as you had in your on-premises environment requires new strategies, strong communication, and well-documented standards and governance procedures.
For organizations whose journey to the cloud was rushed — whether because of 2020’s remote work imperative or simply due to a desire to rapidly reduce costs — it’s very worthwhile to take a step back and carefully think through your cloud security strategy to ensure that you understand the risks involved and how best to mitigate them.
Managing cloud security risks
If your organization only recently began its migration to the cloud, it’s likely that your IT team has far more experience managing traditional on-premises deployments than they do working in cloud environments. And even organizations that have long relied on some cloud resources, such as a handful of siloed Software-as-a-Service (SaaS) applications, may still struggle to enforce consistent standards when building out more complex hybrid or multi-cloud architectures. In the face of these challenges, cloud service misconfigurations are all too common. 73% of respondents to a recent survey of cloud security and engineering professionals reported experiencing an average of more than ten such incidents on a daily basis.
The solution: get proper training for your team. Alternatively, you can lean on third-party consultants with the requisite expertise to aid and guide your deployment.
Another key difference between cloud and on-premises environments is that identity and access management (IAM) plays a much larger and more critical role in cloud security than it did in the legacy data center. But IAM is a complex arena that demands investment and a holistic approach.
The solution: you must have a strong IAM strategy if you are to effectively secure your cloud ecosystem. This requires a plan, employee training, resources and consistent follow-through.
Finally, migrating workloads to the cloud means accepting different degrees of dependence upon your cloud provider and new levels of supply chain risk. While the “shared responsibility” model for cloud security does relieve you of the burden of securing the hardware, physical data center facilities and virtualization layer through which resources are delivered, it also necessitates that you confirm that your vendor meets or exceeds industry standards and adheres to best practices.
The solution: particularly when relying upon SaaS apps from smaller vendors or Tier 2 or Tier 3 cloud solution providers, it’s important to ask a lot of questions. Review all contracts and other documentation carefully to be sure that you understand exactly what the vendor’s legal obligations and commitments are.
Planning your cloud security strategy
Developing, implementing and maintaining an effective information security program for your cloud or hybrid IT ecosystem requires buy-in from stakeholders across the business. Cloud and IT teams need to recognize the risks involved in moving to the cloud, as well as the potential consequences of making a mistake. They also need a nuanced understanding of the organization’s compliance requirements and contractual obligations. Business and product teams need to consider the importance of balancing the cloud’s advantages — speed-to-market and cost savings — with the potential consequences of moving too fast.
Across the whole organization, good communication is critical. Holding regular advisory board meetings can help ensure that everyone is on the same page.
The three key imperatives that your conversations should address are:
1.) Control: How can your organization set and maintain consistent standards across all of your on-premises and cloud resources? What kinds of documentation and processes do you need to put in place? And how can you ensure that configurations remain consistent even as the environment changes over time?
2.) Visibility: How will your team know what cloud resources you have at all times? How will you ensure that you know what activities are taking place there? Real-time security monitoring is essential for maintaining ongoing visibility.
3.) Vendor relationship management: How will you ensure that cloud providers are living up to their responsibilities? When SaaS applications are updated, will the vendor do the necessary upkeep, or will you need to take action?
It is certainly possible to maintain the same level of control and visibility in the cloud that you had with an on-premises infrastructure, but achieving this aim demands care and forethought.
If you’re looking for additional resources to help you plan your cloud security strategy, check out our CISO Advisory Services. Or contact us, today, to schedule a free consultation with an expert from our security team.