Moving On Up: How to Make Your Cloud Journey Safe and Secure
Warning: Cloud adoption can introduce a tsunami of change to an organization. We’re not just talking about a technological shift; it’s called a “digital transformation” for a reason. Relocating to the cloud can alter a company’s business model and profoundly transform how it operates, including performance, organizational structure and responsibilities.
If you’re part of a security team and find yourself looking at cloud as just one more initiative, or merely another data center, you’re not alone. Unfortunately, this is the wrong mindset for cloud. Nothing that you did before will prepare you for what’s coming with cloud adoption. The disruptive transformation that cloud causes will truly change the way you look at security. There are several reasons for this: (a) physical control and access; (b) elastic and ephemeral nature; (c) fluid network boundaries and (d) rapid releases and changes.
If you’re part of DevOps or a cloud team and find yourself helpless when dealing with security standards, security configurations, security monitoring or—God forbid—a serious security incident, don’t fret: You are not alone.
Most companies seek to migrate to the cloud in a secure fashion. Everyone involved cares deeply about their clients and data security. However, few take their first steps on the cloud security journey in a way that puts success on the list of probable outcomes.
How to begin? First and foremost, ensure that the right stakeholders are at the table. That is: People from the security, DevOps, cloud and application portfolio teams. We also need product owners and product managers at the table. Exchanges between product management and security are critical now. Product managers, architects, security and engineering must be engaged early up front; then you must step back and consider security in the context of business drivers for cloud adoption and cloud adoption maturity.
Business drivers typically concern faster time-to-market and massively increased development productivity for quicker digital transformation.
As for the cloud adoption maturity curve—take a look at these descriptions and see where your company currently resides:
Level 1: Lift & Shift. At the first level, an app and its attendant data get moved to the cloud without being redesigned at all. Lift & shift in regular cloud migrations invites numerous problems, from cost to supportability and security. Also, monolithic apps and the absence of DevOps principles simply won’t enable the enhanced productivity and accelerated time-to-market promised by the cloud. Some people think that this is easiest to secure, but that’s actually not true. A lot of it relies on software that isn’t meant to be exposed—and you end up taking on all the dependent components and having to secure them as well.
Level 2: Cloud-Optimized. At this level, an application and related cloud infrastructure goes through refactoring and starts to use automation PaaS services. The idea with a cloud-optimized approach is to achieve, in real time, a balance between cost, compliance and performance within an appropriately designed infrastructure.
Level 3: Cloud-Native. The most mature level of adoption allows for the design and implementation of scalable apps in dynamic environments from scratch. Cloud-native systems work unproblematically in multiple clouds and are managed by DevOps principles.
The Challenges of Cloud Security
Once you establish your company’s cloud maturity level, you can begin to focus on security challenges. Here’s what companies need to understand about cloud security, as opposed to on-premise security, before they start their journey:
- Businesses have much more freedom in choosing an IT landscape in the cloud. Employing SaaS solutions can achieve a significant portion of that shift. App teams and DevOps can almost immediately start using cloud capabilities.
- Traditional perimeter-based security does not work anymore; instead, it’s much safer to use defense-in-depth and zero-trust architectures.
- Cloud allows teams to achieve a high level of automation and integration. Successful cloud security programs introduce security and compliance in infrastructure as code (IaC), throughout all stages of the development process.
- Depending on the chosen infrastructure abstraction level and cloud provider, many security concerns are partially or entirely handled by that cloud services provider.
- Supporting multiple public cloud providers brings significant complexity in cloud security strategy implementations.
- While usage of containers and serverless architectures are more secure by design, they bring additional vectors of attack.
Similarly, the security approach to the cloud also goes through a transformation. Answering the following questions can help you develop your cloud strategy:
- Do you communicate with your application development team(s)?
- Do you communicate with your DevSecOps team(s)?
- Is your identity and access management (IAM) program one of the most critical security initiatives? Do you recognize that identity is the new perimeter and key to zero-trust strategies?
- Do you have cloud configuration management and/or IaC? Do you utilize a Security as Code approach?
- How long is the feedback loop between the development team introducing misconfigurations and configuration vulnerabilities and fixes?
- Do you have a security operations center (SOC) that’s aware of the cloud and can correlate security events, and detect and respond to attacks in the cloud? Did you test SOC in the cloud?
- Do you try to bridge the gap between the velocity of cloud (serverless/containerization) adoption in your development and security teams?
The Path Forward and Partnership
The questions above, answered honestly, should inspire a discussion about security aspects in cloud-native technology approaches, such as IaC, containers, and serverless. When this happens, security becomes an integral part of your software architecture, deployments, and pipelines.
The truth is, the cloud journey is difficult for most companies to make. The best way succeed in this transformation is to engage a security consultant company with extensive engineering and cloud heritage. Working with a trusted partner can help you move confidently towards a secure place in the cloud.