With the introduction of cloud services, organizations were handed a powerful enabler to IT modernization: a means to store and process information that is flexible, scalable, and relatively inexpensive. Unfortunately, some strings are attached – a plethora of new, cloud-unique security risks. Concerns over confidentiality, data governance, and more cause many businesses to shy away from fully embracing cloud computing. However, with thoughtful measures in place, companies can reap benefits with risk well under control.

 

Needless to say, cloud security program measures should be tailored depending on your type of service – whether public, private, or hybrid. Also, different approaches to security are necessary for infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). However, no matter the breadth or rigor needed to assure security for your specific cloud efforts, all security management strategies should include these key components: integrated, automated security tooling, a comprehensive approach to education and awareness, and highly controlled privileged access.

 

Integrated, Cohesive Strategy

Cloud security should never just be tacked on as an afterthought once cloud technology is in place. A strategy should include risk-based security controls baked into the cloud orchestration that are agile, automated, and elastic. Here’s what these factors entail and why they are paramount:

Agile cloud security: Since the cloud is agile, security should also be deployed in an agile fashion. Security requirements are met with modern DevOps methods where controls are instantiated as part of the cloud deployment and scaling workflow and informed by the cloud event data most relevant to your risks and concerns. As these deployments move into a run state, security should be considered and preserved at each iteration or release and at all layers of the platform stack to avoid any gaps.

Automated cloud security: Security monitoring and response should be deeply automated for each key control activity to avoid ineffective or manual processes. This includes automated vulnerability management, real-time event and behavior analysis, and ongoing configuration compliance alerting. Automation ensures that you are always protected and enables you to be proactive and to focus your limited resources on what matters in protecting sensitive cloud assets.

Elastic cloud security: For both elastic workloads and long-term scaling, security should grow as your cloud grows. By remaining agile and automated, security will keep pace with your cloud over time in a seamless and measurable way.

 

These three aspects go hand in hand and have the same over-arching goal: avoiding potential gaps in security. Developing a strategy and utilizing tools that achieve these are the first steps to extensive cloud security.

 

Education, Awareness, and Privileged Access 

In their report of top IT predictions for 2016 and beyond, Gartner stated, “Through 2020, 95 percent of cloud security failures will be the customer’s fault.” Many companies put too much faith in the system itself without enlisting proper practices or taking care to fully understand the environment and its risks. Without adequate diligence, organizations face technical, legal, financial, and compliance issues.

 

To avoid user-related security incidents:

Ensure understanding on all levels: Team members working in the cloud should be familiar with the technology in general, as well as the features and controls specific to their own environment. Due to the complexity of the landscape, people who are new to these platforms can easily underestimate the security risk involved or misunderstand how to effectively avoid risky configurations. Proper guidance and education upon implementing the cloud will prevent issues from arising.

Know your insider risks: Support and integration access requirements should coincide with rights granted on the platform. Well-managed privileged user access and additional controls will facilitate accountability from insiders while reducing potential damage from external hackers.

–  Craft consumable, real world security policies: When policies are outdated or unrelated, users may deviate, and shadow or uncontrolled cloud IT will grow. Security standards and processes should be based on workload criticality, be cloud-specific, and avoid unrelated security requirements that don’t take the unique aspects of the environment into consideration.

 

No matter how all-encompassing and well thought out your cloud security strategy is, your efforts are fruitless if users lack understanding of the platform’s features and security controls and awareness of measures necessary to protect it. Anyone who works even minimally within the cloud environment must take responsibility for its security – even if a public cloud provider with “shared responsibility” is used.

 

If you’re looking to deploy a cloud-aware approach to security and compliance, visit our cloud security services page, or contact us to hear more.

 

By Sunny Sherman | Consultant, PMO