7 Security Mistakes Organizations Make When Adopting Cloud
In response to the current business environment, many organizations are rapidly adopting technologies, like Public Cloud, to help scale and manage their key applications, IT infrastructure and enable their remote workforce. One of the biggest challenges they are facing is balancing the need for speed with the need to establish a robust security posture. In this post, Cloud Consultant, Roy White, identifies 7 common security mistakes that organizations make when adopting Cloud.
The COVID-19 pandemic is forcing businesses to tackle a variety of sudden technical and organizational challenges. Some of you may need to scale up your remote working capability, others may need to address demand spikes on critical applications. Some may even need to pivot your entire business.
The use of public Cloud may well provide the capability to rapidly address these challenges, to help you extend your current operational environment in a hybrid model or create an entirely new footprint within the Cloud. While there certainly are benefits to accelerating your move to the Cloud at this critical point, there are also many risks to be aware of.
In this episode of the Cloudbusting Podcast, the team is joined by BT Security CTO, Paul Crichard to discuss the cybersecurity landscape during the COVID-19 pandemic.
Think about it as if you were building a house. Regardless of whether the house is erected within a standard or an expedited time scale, any short-cuts will result in an unsafe structure.
The mantra is the same when adopting Cloud. An understanding of Cloud best practices, especially regarding security and governance, should be at the forefront of any changes.
The following are common mistakes organizations make when adopting Cloud:
Mistake #1: They approach security the same way they do for on-premises data centers
An on-premises environment is typically owned 100% by an organization’s internal security team and protected by firewalls and perimeter-based solutions like IDS/IPS to form a trusted network. In a Cloud environment, there is no concept of assuming your data will have a moat around it. CSPs know this and they purposely build their solutions with security in mind from the foundation with a defense-in-depth model delivered by security being applied across multiple layers. Still, using Cloud means utilizing different mechanisms to ensure full control of your data. When moving to a public Cloud, IT leaders should take time to review their entire IT architecture and carefully determine what workloads could most benefit from a move to the Cloud.
Mistake #2: They don’t view security as a shared responsibility
When organizations move to the Cloud, they often assume the CSP will handle all aspects of security. But moving to a Cloud doesn't absolve your organization of security responsibilities, and accountability will always reside with the organization. Security in the Cloud is a shared responsibility, and all parties must play their part. To keep data secure, an organization must have the right capabilities in place to effectively manage risks. Capabilities are formed of people, processes and eventually tools. Your people need to have the necessary skills and understanding of Cloud platforms (more on that later). Cloud Governance policies and security processes need to be in place to provide your organization with the guardrails it needs to operate effectively without putting the system at risk. Finally, your tools should help support all of the above - providing detailed analytics on usage to prevent data risk and compliance violations, drive enforcement and quarantine if a violation occurs, and provide real-time threat intelligence.
Mistake #3: They don’t secure and restrict access to the Cloud platform
Access control is a vital component of Cloud security. Only the relevant people should have access to the Cloud platform itself and should have only the level of rights needed to carry out their role. To maintain proper security, an enterprise should adopt a privileged access protocol. In other words, identify all possible forms of access that are required for your system and data and ensure that the controls applied meet the system requirements from open access to public website type data to authenticated access for internal users applications to highly controlled privileged access accounts which may have access to the heart of your data and applications. Then, put processes in place to mitigate exposure and ensure only the right users can access Cloud data and applications including managing the full account cycle from creation to deletion of no longer needed accounts
Mistake #4: They don’t focus on the security of the entire supply chain
Threats from external supply sources come in many forms. For example, many organizations now use publicly available libraries on GitHub to develop applications faster. But, using code of unknown provenance, if not fully understood and verified, can lead to insecure applications. While this issue isn’t restricted to organizations that use Cloud, it is a growing challenge among enterprises. It’s not always easy to verify the security of the code you utilize, but doing so can ensure you don’t open your company up to security problems. Make sure whatever tools you utilize from an outside source – whether it’s code, hardware, software or something else – doesn’t introduce new security issues.
Mistake #5: They don’t work as a team
Today’s heightened threat environment requires everyone to take responsibility for security. Rather than work in a silo, an enterprise security team should collaborate with their CSP to develop an enterprise-wide security strategy. The support and external knowledge a CSP offers can help the enterprise keep abreast of the latest threats and help it address potential resource, skill or time shortages.
This shared responsibility model must also be applied within the organization itself. Leadership teams should work with developer teams and other internal IT personnel to share security knowledge and responsibilities. This is especially important as more organizations utilize hybrid Cloud models. A single security team is not enough to protect a combination of public Cloud, private Cloud, and on-premises IT environments.
Mistake #6 They don’t have the right skills
As we have established throughout this post, security in the Cloud requires a very different approach to security running on a physical network. A different approach demands a different set of skills. Your traditional security team would be isolated, working on policies, configurations, and protocols separate from the rest of the IT team. When you are in the Cloud you need your security professionals to be able to deploy and manage Cloud-native solutions with an understanding of the distribution and elasticity of Cloud architectures. They also need to be integrated with your Development and Operations teams (DevSecOps) ensuring security is built into applications and infrastructure. This requires a technical skillset and awareness beyond just that of network security strategies and traditional security tools.
Mistake #7 They don’t balance speed with risk mitigation
This is particularly relevant in the current climate in response to COVID-19 where organizations are rapidly upscaling or adopting new tools and working practices. While this rapid change may be necessary, be wary that there will also be a lot more opportunist, bad-actors, trying to capitalize on business trying to overcome their current challenges.
At this time it is important that you are reminding your colleagues of security best practices and risk management. Crisis events are prime time for Social Engineering ploys like Phishing emails that play off people’s fear and desire for more information.
The goal is to achieve the right balance of acting fast while not exposing your business to unnecessary risk. Don’t be an obstruction, but make sure you are taking the time to follow processes and document changes.