Operations

12/20/2016
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

20 Questions Security Pros Should Ask Themselves Before Moving To The Cloud

A template for working collaboratively with the business in today's rapidly changing technology environment.

Everywhere I go lately, the cloud seems to be on the agenda as a topic of conversation. Not surprisingly, along with all the focus, attention, and money the cloud is receiving, comes the hype and noise we’ve come to expect in just about every security market these days. Given this, along with how new the cloud is to most of us in the security world, how can security professionals make sense of the situation? I would argue that that depends largely on what type of situation we’re referring to, exactly. And therein lies the twist.

Rather than approach this piece as “20 questions security professionals should ask cloud providers,” I’d like to take a slightly different angle. It’s a perspective I think will be more useful to security professionals grappling with issues and challenges introduced by the cloud on a daily basis. For a variety of reasons, organizations are moving both infrastructure and applications to the cloud at a rapid rate - far more rapidly than anyone would have forecast even two or three years ago.

As security professionals, we are way beyond the point of simply being able to tell the business they cannot move certain things to the cloud. Instead, we need to work collaboratively with the business to mitigate the risks introduced by the changing business environment. Given that we find ourselves in this situation, we need a different approach. What are 20 questions security organizations should be asking themselves as the business moves to the cloud?

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

  1. Do we know how much it costs to build, maintain, and operate data centers? That is the first step to understanding the pressure the business is under.
  2. Have we opened up the lines of communication and listened acutely to the business?  Before we can expect the business to listen to us, we need to build bridges, gain trust, and listen to the business.
  3. Do we truly understand the needs of the business? It’s hard to convince the business that we have their best interests in mind when we don’t fully understand what that means.
  4. Do we knee jerk? We must be honest with ourselves to determine if we are truly behaving proactively, or if we are merely behaving reactively.
  5. Do we always say no? We must be careful not to be the program of no to a business that will increasingly roll its eyes and work around us.
  6. Are we focused on mitigating risk rather than simply playing whack-a-mole? We need to think holistically and strategically about mitigating risk. We don’t want to win the battle but lose the war.
  7. What infrastructure has been or will be moved to the cloud? It helps to know what infrastructure we are looking to protect when we set out to protect it.
  8. What applications have been or will be moved to the cloud? It also helps to know what applications we are looking to protect when we set out to protect them.
  9. Are we able to enumerate the top five or 10 risks introduced by the move to the cloud that concern us? That’s generally a good place to begin when looking to mitigate risk.
  10. Are we certain that the move to the cloud always introduces additional net risk? While it is true that certain risks may be introduced, it is also quite likely that some legacy risks may actually go away.
  11. Are we positive that we can secure something better than someone whose core business depends on it? Granted, not all cloud providers are equal, particularly when it comes to security. But if the provider takes security seriously, they can bring resources and economies of scale to securing our applications and data that we will never be able to bring.
  12. Is all really lost when applications move to the cloud? It is entirely possible that a new infrastructure will give us visibility into applications like we’ve never had before. But we have to involve ourselves as a friend of the business from the beginning.
  13. Are we focused on data? In the cloud, it’s more about protecting data, and less about protecting infrastructure and assets.
  14. Have we considered the economics of the cloud for our own internal security purposes? Not all security products and services need to be racked and stacked in-house anymore. In fact, some of the most interesting ones are cloud-based.
  15. Have we looked into simplifying our own security stack in the cloud? As technologies mature, it may make sense to take a strategic look at consolidating and simplifying security infrastructure as well.
  16. Have we looked into the efficiency gains and operational scale the cloud can bring us?  Trying to run a query across several months’ worth of data on a 2U vendor appliance can be painful. But with the scale that the cloud provides, that same query can return lightning fast.
  17. Do we have have the necessary visibility into infrastructure and applications in the cloud? If not, how do we plan to gain that visibility?
  18. Have we considered how we will retain response capability with the move to the cloud?
  19. Have we thought about looking to the endpoint as a potential source of visibility and control as the traditional enterprise infrastructure slowly disintegrates before our very eyes?
  20. Are we focused on the big picture? The cloud is relatively new and can seem a bit scary, but have we thought about the fact that if we do our homework properly, we may even end up with a better security posture than we had before the move to the cloud?

Nearly all security professionals today are grappling with the business moving to the cloud in one form or another. While a few years ago, the mere thought of this happening would have seemed nearly impossible, it is now the reality we live in. As security professionals, we owe it to ourselves to ensure we ask the right questions and make the right preparations as the landscape changes before us. Otherwise, we simply have our heads in the clouds.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
12/20/2016 | 1:04:19 PM
Audit Yourself Even Before Implementation
This is a great list of questions.  When it comes to big tech moves from one platform to another, I believe acting as though you have the tech already and are about to have a Security audit helps answer lots of questions.  Using documents like Common Criteria, for instance, to walk through targets of evaluation either by using the technical documentation of the product(s), whitepapers on other implementations, documented exploits, and so on.  I've been reading Raymond Pompon's IT Security Risk Management which develops a thorough audit plan that could be used for such a purpose.  Security pros should approach every acquisition the same way they'd do working with a client.  Set yourself up for success and know that once you've done your soft audit, then implemented, you could have an auditor walk in and you'd pass with flying colors.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.