The chances are your organisation is adopting cloud computing in one way or another. Moving to the cloud can help you accelerate IT delivery, realize immediate productivity and financial efficiencies, and ultimately, drive business agility. But it can also open up the attack surface, leaving the entire organisation exposed to security threats.
The adoption of cloud services is continuing its rapid upward trend, and the market is expected to rise 18 per cent this year to $246.8 billion. Networks are becoming more and more complex as the modern IT infrastructure adopts private and public cloud platforms to make better use of an array of cloud services.
Yet public and private cloud services can present many challenges to chief information security officers (CISO) as they struggle to keep up with ever-evolving technologies and enrol multiple vendors to cater to different departmental needs – all in addition to the associated security risks against their businesses. Security leaders are aware that achieving business objectives depends on adopting security best practice across all levels of IT, including the cloud.
However, one of the problems is that some cloud services are being used without the knowledge of the IT department, bypassing security policies, and therefore the reach of enterprise security – otherwise known as Shadow IT. In fact, Gartner has predicted that by 2021, 27 per cent of all corporate data traffic will bypass perimeter security (up from 10 per cent today) and flow directly from mobile and portable devices to the cloud. This causes untold sleepless nights for CISOs and makes their job of managing and securing the use of rapidly multiplying cloud services across an entire, and often global organisation, a continuing battle. And to make things more complicated from a security point of view, many CISOs lack a single pane of glass view into their networks through which they can see and address risks.
With security now top of the agenda for organisations of all sizes, here we consider the primary challenges that CISOs need to address in order to close the security gaps that exist as they move to the cloud.
While most enterprises have already adopted private, public cloud, and hybrid network technologies, one of the biggest resulting challenges for CISOs is that cloud environments are dynamic, with limited visibility. That lack of visibility is likely the result of ownership over virtual infrastructure in public clouds now being held by central enterprise IT teams. With the inclusion of the public cloud, networks are increasingly large, fluid in change, and complex, and so are the security policies needed to manage across multiple platforms and technologies.
With this in mind, it is no surprise that surveys consistently show that cloud security is an on-going struggle for IT security professionals, with many organisations reporting that it is difficult to get the same level of visibility into cloud-based workloads as they have on their physical network. Good data governance is key, and CISOs need to know where information is being shared and stored, and what cloud services the company might be using. One department might be daily users of Dropbox, for example, and another department might prefer to communicate and share files using collaborative tools such as Slack. Regardless of who is collecting the data, the points of data aggregation and storage need to be well documented and protected given the impending requirements, and penalties of non-compliance, with GDPR.
More often than not, enterprises decide to migrate their on-premises systems over time – a kind of ‘dipping a toe’ approach to public cloud platform adoption. Alternatively, they may also take to migrating to a private cloud (or hybrid network), to maintain a higher degree of control. Regardless of their choice between the public or private cloud – or some cases, both – the problem is that cloud migration adds to the complexity of the network and inhibits visibility across the network when introducing new vendors that bring with them increasing east-west traffic. To seamlessly map and consolidate the management of these platforms to avoid business disruption, enterprises must enrol the help of network security policy management across the corporate network to ensure visibility and consolidate the management of multiple tools.
Without visibility, it’s impossible for CISOs to enforce consistent policies and mitigate risks. Traditional security tools, like firewalls and intrusion detection systems, work effectively within an organisation’s four walls, but continuous manageability becomes difficult when it comes to adding additional tool providers necessary for the cloud. With a centralised view and management over a network through a single console, organisations can overcome the lack of visibility often associated with cloud adoption and simplify the management of security policies across multiple tools, mitigating risk and ensuring compliance across the entire enterprise.
Visibility also benefits from creating a risk ranking of the cloud services in use. This should include an assessment of whether a particular service has been breached recently, whether they encrypt data in transit and if their system has been patched or configured to address high profile threats like the infamous Heartbleed, WannaCry, or ExPetr, for example.
As part of the process of moving data from a company’s internal system to the cloud, organisations are forced to examine closely how that data will be kept so that they remain compliant with laws and industry regulations. This raises a whole range of questions for security professionals. Where will our data be stored? Who is looking after it? Who will be able to see it and can we control that access? How secure is that cloud platform? Have we ensured that our deployments have been effectively and securely configured?
The type of data organisations is storing could be anything from intellectual property, to payment information, to personal data. Each data type has regulatory requirements to comply with. For example, the payment card industry data security standard (PCI-DSS) is a proprietary information security standard for organisations that handle card data, and the upcoming General Data Protection Regulation (GDPR) is the new legal framework in the EU covering personal data.
Data must be classified and organisations must understand what data is allocated to the cloud, and what may require a higher degree of storing in-house. Organisations must also know how – and where – data is being protected and backed up.
The complex IT environment that CISOs have to contend with today includes multiple endpoints subject to the fluctuations brought on by a wide range of mobile devices and desktops. End users are choosing multiple cloud vendors, but many of the features that make cloud-based applications so attractive, such as sync, share, and ease of collaboration, are the very things that put corporations at risk when it comes to cloud usage.
Securing hybrid environments requires CISOs to gain control of their security configurations in the cloud. Best practice revolves around developing a unified security policy with a detailed snapshot of the entire network, defining what type of data is in use and prescribing the appropriate measures for each type. When enterprises can quickly and accurately apply a policy – regardless of the environment – control and business agility is gained.
Finally, organisations need to control who has access to specific data sets. This means that as people come in and out of an enterprise, revoking access credentials is very important for former employees. The danger is that when people leave, they still have access to information stored through cloud providers.
Organisations need a seamless way to bring infrastructure, people, and processes together – a “single pane of glass” that can manage security policies and configuration across the whole network. With cloud infrastructure now increasingly commonplace, it’s important that organisations follow best practice such as this, to make the cloud security experience as safe, sound, and secure as possible. The alternative would leave infrastructures exposed to the security threats that lurk around every corner.