We discuss what to keep in mind about cybersecurity when moving to the cloud to ensure the process is as secure and smooth as possible.
Lift and shift. While this phrase is not new, it now regularly relates to moving infrastructure to the cloud. Providers promise seamless transitions as if you were moving a server from one rack to another right next door. While moving to the cloud can put companies in a more secure position, you must take proper care. Assuming everything is the same can be a costly mistake, one that is happening on a regular basis.
From a physical security perspective, moving infrastructure to the cloud will almost always be more secure. Large cloud providers place infrastructure in state-of-the-art data centers with top-of-the-line physical security measures.
Often, organizations do not have the budget, time or expertise to build their own on-premise data centers to these specifications. I have seen the full spectrum of data centers over the years (umbrellas over server racks to protect from a leaky roof, anyone?). Even the most advanced data centers we see on-premises do not match those of the large cloud providers.
What Hasn’t Changed About Cloud Cybersecurity
Requirements and basic control concepts have not changed as cloud infrastructure continues to proliferate. User access, change management, and firewalls are all still there. Control frameworks such as COBIT, ISO 27001, NIST CSF, and the CIS controls still apply and have great value. Sarbanes-Oxley controls are still a driver of security practices for public companies.
What Has Changed When Migrating to the Cloud
How the controls of the past perform has changed with the transition to the cloud. Here are some common examples:
Security administration is more in-depth.
Some of the most high-risk access roles in organizations, admin rights, are a main target of malicious actors. Handling admin rights in the cloud is different and needs proper due care. Knowing which roles are administrative in nature can be confusing, so it’s important to implement them correctly from the start. Separation of duties in relation to key administration and key usage is essential.
Having the proper tools to administer access can be daunting. Don’t assume your cloud provider will guide you through all these intricacies. Plan ahead.
Perimeter security has changed.
While layered security has always been important, it becomes even more important in the cloud. Several news stories have appeared where breaches occur due to things like “containers being exposed to the internet” with a large cloud provider’s name associated. At first blush, I have heard most people blame the cloud provider, but most often, these breaches are the cloud customer’s fault. Some important items to think about are proper demilitarized zones (DMZs) for critical and regulated data, firewall configurations, and proper restriction of admin rights to those resources.
Securing connectivity becomes more important.
Servers and other hardware won’t be sitting down the hall when moving infrastructure to the cloud. Access will almost always be remote, thus creating new security challenges. Understanding all ingress and egress points is essential, as is putting proper controls around them.
Encrypting data will be a top concern for many organizations, as the data is now “somewhere else.” The good news is the native encryption tools of many large cloud providers are advanced, and most of the time, they can automatically encrypt data at rest using a strong algorithm.
This is a huge step up right off the bat for many companies. Because encryption is so important in the cloud, key management becomes a high-risk control. Policies, procedures and controls around key management need to be well-thought-out.
Fear not. It’s not all bad!
While some challenges may be present, as outlined above, moving to the cloud is most often a great move for an organization. Improved security, improved performance, and potential cost savings are only a few benefits of a cloud migration. Multiple frameworks exist to provide a secure path to cloud adoption, so organizations are not approaching this “blind.”
A cloud security framework can guide you through the process of secure adoption and also provide assurance over cloud adoptions you have already performed.