Sameer Malhotra is cofounder and CEO of TrueFort, a former Wall Street tech exec and an expert in IT infrastructure and cyber security.
Today’s enterprises have accepted that the cloud is here to stay. One study from Deloitte said 90% of organizations have been using cloud services for at least three years, and 79% are now hosting workloads with multiple cloud providers. This leaves security and risk management (SRM) professionals in a new world order where they face security challenges that are quite different from when all data was stored in on-premises data centers.
In the cloud, the service provider inherently secures much of the infrastructure associated with on-premises management. While an organization may not have network devices or physical hardware to protect in the cloud, everything else in the environment—processes running on virtual machines, data transmitted across the network between machines in your environment, etc.—needs to be secured.
Traditionally, when assets were on-premises, organization-managed physical devices handled all network traffic. In the cloud, however, networking and security teams have to adapt to new tools and feeds for managing traffic. SRM leaders need to ensure that their network teams learn a completely new way of operating.
Visibility Challenges In Cloud Security
Once in the cloud, network traffic will still look like network traffic, but staff will have to be trained and kept up to date on how to not only monitor activity but implement enforcement with a completely new set of tools. Some of these will be provided by the cloud service provider, and others will have to be deployed internally. Meanwhile, with the use of serverless computing functions in the cloud, security teams have less visibility into operating systems and hardware assets that they are accustomed to using in on-premises data centers.
Just like moving to a new country, security staff moving workloads to the cloud practically have to learn a new language. Where on-premises data centers usually have firewalls and defenses all from one vendor—with their own rules for blocking, ports and protocols—teams now have to take what the cloud vendors provide and learn the right tooling to implement the same policies in AWS, Azure, Google Cloud or whichever provider is on deck.
Configuration management is another significant challenge because on-premise systems can typically scan the environment—both public-facing and internal—to identify misconfigurations and vulnerabilities. However, this is different in the cloud, where the visibility into AWS or Azure configurations, storage and access to the public internet is different. This marks a change in how security teams must implement policies to ensure they can secure assets in the cloud, including those that can and can’t be externally accessed.
Moving To The Cloud Securely
Before migrating to the cloud, it’s very important to make sure the entire planning process and architectural design include the security team. Bolting on defensive measures after the fact increases both the cost and complexity, which can be avoided by having that built into the plan from day one.
• Get a seat at the table. Make sure the cloud architecture team includes a security architect to ensure all decisions—such as whether to do a private cloud or what hypervisor type to have—are shared, explained and understood by the security team. Members of that security team will require different types of tooling and processes in the cloud, so it’s best to help them prepare ahead of the migration to smooth out the bumps along the way.
• Anticipate a hybrid environment. Plan to be in a hybrid cloud model for a number of years because you can’t migrate all at once. For many organizations, the migration to the cloud can be a 10-year journey. This will require ensuring the right tools are available to support both on-premises and cloud security for a period of time. The move may start with a series of applications that have been selected and then gradually migrated, but SRM can’t just forget about legacy on-premises servers and shift all efforts to security tools for the cloud.
• Seek visibility. Implement the right mix of tools to get the visibility needed to secure cloud infrastructure. Your vulnerability management program needs to adjust and adapt to various different tools in the cloud because it still falls on you to identify software vulnerabilities and misconfigurations that can leave the new network open to attack.
Ultimately, SRM leaders need to make sure their security teams are trained properly ahead of the cloud migration. In some cases, organizations will spin up a new cloud security team that includes a network expert and workload expert, while others retain their traditional structures and existing staff for securing both on-premises and cloud environments. Regardless of the team’s makeup, the most important consideration is to acquire in-house cloud security expertise prior to the migration.
With increasing numbers of workloads moving to the cloud, a PwC study found that 38% of C-suite technology and security executives expect their organizations will face more serious attacks targeting this vector. The only way to balance those two forces is to make security a top priority before migrating to the cloud.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?