(ISC)²'s bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security.
White paper: KRI Basics for IT Governance
The IT landscape is constantly shifting so IT professionals must take a proactive approach to protect their organizations against threats that could expose sensitive data, damage reputations, and negatively impact revenues. Access this success kit to unlock key resources that will help you stay current with today’s ever-evolving IT risk and compliance requirements.
MARCH CLOUD SECURITY INSIGHTS
Managing the Potholes and Possibilities During Cloud Migrations
By PAUL SOUTH
Sometimes the journey to the cloud means pedal-to-the-metal driving on a smooth track. Other times, the road is rife with potholes to be avoided. Knowing when to press forth and when to maneuver around a pockmarked path will depend on how each organization selects, deploys and maintains cloud-related services.
A recent (ISC)² webcast reflects lessons learned from different experiences with securely moving assets from traditional data centers and on-premises servers to virtual environments.
Rearchitecting the perimeter and resolving bandwidth, latency issues
To be sure, there are varied ways to design and deploy applications and create new infrastructure that supports security, such as creating a software-defined perimeter. This architectural arrangement offers cloud benefits to the organization, while giving the cybersecurity team the ability to effectively do its job, according to Jason Garbis, vice president of cybersecurity products at Cyxtera.
“Because it is inherently designed for this distributive, heterogeneous and very identity-centric world that we need, it can automatically adapt and adjust user access based on tags and metadata and allow organizations to enable the business in a way that’s safe and secure to take advantage of the benefits,” said Garbis. “It ensures that the security team meets [its] responsibilities of imposing requirements and controls and has the ability to get the visibility and reporting that it needs.”
In one case, the transition to using cloud service providers triggered email traffic snarls, resulting in exceptionally long delays in email delivery, relayed Spencer Wilcox, executive director of technology and security at PNM Resources.
“We were adding 30 to 50 seconds just in email distribution,” Wilcox said. “And that was on an average email. We had some emails that were getting flagged by security brokers. One of the interesting things about it was we were hitting 30 to 40 minutes in some cases before delivery. It can be a real challenge.”
Choose your own adventure
Every organization’s caravan to the cloud is different, Garbis said.
“It’s so multifaceted,” he said. “It’s a really, really complicated process, as we all know. As security professionals, [we must] understand the data, the user access pathways, how my network is configured and do all this without interrupting operations. There’s not just one pathway. Every organization has to make up its own roadmap and prioritization.”
Those differences mean that security professionals must cultivate strong working relationships with the lines of business and application owners, Garbis said.
“The security team needs to have this bidirectional level of trust where the security teams trust the business owners and vice versa, so that the security teams can support and offer guidance and make these transitions successful, without being an impediment to the business,” he said.
Understand everyone’s vision for cloud use
Everyone attached to cybersecurity must understand and collaborate with the business side of an organization to make sure a chosen path delivers real value.
“In our case, when we can improve security and make it easier for people to get their jobs done, then everybody ends up happy at the end of the day,” Michael Brannon, director of infrastructure and security at National Gypsum, said. “When you’re enabling people to do things simply and get things done easily, [and] at the same time taking them to a more secure place, that’s a better place to be.”
During the transition, firms find themselves straddling between on-premises servers and the cloud. This is a precarious place to be, but one that also is manageable.
“For us to realize some of the benefits, we had to work very closely with the business and leadership such that when our mainframe became nonproductive over Thanksgiving weekend, we planned to start disassembling it and sending it out the door (the next month),” Brannon said. “So, something we woke up and realized is: If you keep every old thing you ever had around, and you do new things, guess what happens? It only costs more over time. As a manufacturing company, with IT being an expense item, we’ve gotten better and better over time at sort of making these moves.”
National Gypsum also has established policies for the new cloud environment to delete by default, so that obsolete, trivial and redundant material disappears. Though it amounts to a “hard right turn” in terms of change, leadership and legal are comfortable with such actions, Brannon said.
Organizations also have to safeguard against vulnerabilities to new malware and phishing attacks from malicious actors. In the journey to the cloud, education and policies are important, but more is needed. Suggestions include using multifactor authentication for even routine access or properly registering devices so that random machines with working usernames and passwords can’t gain access.
A different mindset may be in order
The journey to the cloud is a never-ending story, Wilcox said.
“As you start to move down the path of cloud adoption, don’t think of it as an end state,” he said. “It’s going to be a constant journey and a constant evolution. Just like the evolution of security over the years, there are going to be new ways that some of us have never thought of for someone to breach our data to get into our information to really put us in the crosshairs of losing our information.
“But, also, don’t be any more afraid of it than anything else you’ve ever installed within your own networks,” he added. “This is simply a change in the way you manage your responsibilities. Think of it as a way to learn from people who do good security on their own systems every day, but also check—make sure that they do good security. Your due diligence is more necessary now than ever.”
Paul South is an Alabama-based freelance writer and an editor at InfoSecurity Professional magazine.