Preventing cloud security problems: 5 non-technical tips for Leadership
Author: Steve Jones
Here at Signal Hill, we’ve encountered the good, the bad, and the ugly of transitioning legacy on-prem IT to the public cloud. Qualified by our many years’ involvement with customer cloud initiatives of various size both private and government, I’d like to offer some high-level (largely) non-technical advice, particularly to those in executive leadership positions. Regardless of your stage of cloud adoption, keeping these tips in mind can help reduce your risk of cloud security disaster:
1. Define your goals for cloud and manage to those goals
It’s surprising to me how many organizations embark on disruptive efforts to migrate to the cloud without first defining a coherent goal that is articulated clearly to those responsible for making “cloud” happen. Yes, a well-executed cloud migration can lead to tremendous benefits:
- Lower IT operational costs
- Shorter development/deployment cycles
- Reduced cybersecurity risks
But a poorly executed cloud migration can easily deliver the exact opposite of all three. It’s cliché but true: The cloud is not a destination. The benefits don’t magically accrue once you’re “there”; leadership needs to specify the objective(s) and continually manage to them. Competent technical teams will figure out the best way to meet a clearly defined (SMART) goal, but even the best will falter when there is ambiguity about why they are doing something. Define the goals, especially regarding security. You will likely reduce some cyber risks while introducing others. How will you measure these risks in context to know whether you are moving closer to your goals or farther away? Time invested here will reduce risks later.
2. Establish cloud-specific Security Architecture and governance structures
Deploying just about any IT to the cloud is super-fast and super-easy compared to the on-prem equivalent. This is of course good and bad. Organizations invite runaway risks when they knowingly or unknowingly allow assets into the cloud without first determining an architecture and governance structure that provides a defensible cloud environment to host those assets. What do I mean by this? Consider how your organization will:
- identify and track valuable data and processes
- manage identities and access
- control connectivity to and from the Internet and your legacy on-prem assets
- manage configuration changes within the environment
- separate production and non-production assets
- manage risk and compliance
- perform security monitoring/alerting/response
Effective cloud security requires that these things are done well. Your organization may already be doing these things in your legacy on-prem environment (…right?), but how they’re being done isn’t likely to translate to the cloud. To build a defensible cloud environment, your teams will need to create and continually adjust architecture and governance that is specific to the cloud. This is a topic for another article, but keep in mind that security architecture isn’t something that you have, it’s something that you DO.
3. Start small and stay focused
The major cloud providers have a cornucopia of compelling service offerings that tempt decision-makers into going “all in” on cloud migrations. Yes, the capabilities are there and yes, the benefits are appealing. But proceed with caution. Don’t let your organization’s attack surface grow beyond your ability to see and defend it. Getting ahead of your skis can easily lead to “cloud sprawl”, and sprawl equals risk. Especially in large organizations this can easily become a big security problem in a relative short period of time. Be realistic about your organization’s limitations and focus on incremental cloud deployments that are most likely to bring you closer to your goals. Automation is key here; insisting that cloud teams treat infrastructure as code will help to limit the risks of sprawl.
This is not to say that relatively fast, “all-in” cloud transformations don’t happen in a way that improves security; but I would bet that any such success stories began with #4 and #5 below:
4. Be willing to abandon anything legacy
I caution clients against thinking of cloud technologies as an “additive” to their IT enterprise; you can’t “just add cloud” to what you’re already doing and expect benefits to appear. This is certainly the case with security. Before you can gain the benefits of doing something in a new way, you must stop doing it the old way. Many times, I’ve heard IT managers of legacy on-prem infrastructure refer dismissively to public cloud platforms, saying cloud is “just someone else’s computer”. Beware of these people, they are likely unaware of the capabilities and complexities underlying within the steady release of new functionality from major cloud providers.
By thinking of the cloud as just an extension of your data center and conducting IT business as usual, you are very likely increasing your level of cyber risk. Similarly, by clinging to legacy processes for IT procurement, IT operations, change management, risk remediation and security operations, you will miss out on the cloud’s inherent security benefits (as well as many others), and you will create dangerous blind spots for your security teams.
Moving to the cloud will stretch and bend parts of your organization. Failing to adapt means failing to benefit. Consider that many of the processes, technologies, and even some of the people you’ve long depended upon may not adapt to the required changes.
5. Hire cloud security experts and follow their advice
Let’s face it, cloud security is important, and it isn’t exactly easy. Recognize that even within a single cloud provider’s offering, there is an overwhelming array of services for storage, networking, compute, databases, content delivery, big data, AI/ML, etc. Even for people with solid IT backgrounds, the learning curves can be steep, and nobody can be an expert in all things cloud. Cloud security expertise requires lots of devotion, study, and hands-on experience, not just in virtual labs, but within production environments where security solutions must complement business processes, not hinder them. Your cloud team should include cloud-specific security expertise commensurate with the value of the assets you hope to protect. You probably wouldn’t leave your organization’s legal affairs up to someone without credentials or experience, yet some organizations assume incorrectly that cloud security risks don’t merit the cost of a certified, experienced cloud security professional.
But having an expert at the table isn’t enough. Like a good doctor or lawyer, the advice of a good cloud security expert is only as good as it’s followed; the recommendations might not always be convenient, but the value only comes from a commitment to follow them.
