Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Moving on Up: Ready for Your Apps to Live in the Cloud?

Among the complications: traditional security tools work poorly or not at all in the cloud, and if a company screws up, the whole Internet will know.

Kacy Zurkus, Contributing Writer

August 13, 2019

5 Min Read

Some people dread moving. Understandable. Others, however, get a real charge from the opportunity to purge, scale down, and take only what they need.    

As the digital landscape changes, organizations are doing some purging of their own as they move to the cloud. But that transition isn't as easy as packing up dishes and linens, putting boxes on a truck, and heading off to a new destination.

Migrating to the cloud is challenging because not only must organizations determine what they will need in the cloud, but all of those applications must then be rebuilt in a new environment. All the while, the attack surface in need of defense is expanding, and the rules that worked in a network environment might not be enough in the cloud.

"A major factor complicating cloud security is that traditional security tools work poorly or not at all in the cloud," says Dan Hubbard, CEO at Lacework. "Even if the most skilled cloud migration staff members recognize that security is important and necessary, businesses are often fuzzy about the details of cloud security."

Moving at the Speed of DevOps
The speed at which businesses now operate has directly impacted the speed at which applications are developed and moved to the cloud. Because no one has the gift of hindsight to truly prepare for threats in this new environment, security teams have their work cut out for them.

It's no surprise, then, that a recent report from Bitglass found as more organizations transition to the cloud, 93% of survey respondents said they are at least moderately concerned about their ability to use the cloud securely.

Historically, security has come to what is often called the "far right" of the development process — meaning organizations often need to decide whether to slow down business in order to fix a vulnerability or sign off on a risk and allowing the application to go into production, explains Chris Carlson, VP of cloud agent platform at Qualys.

"The opportunity is for security leaders to use new security tools that integrate easily and well with these new cloud IT development production tools to actually make Web applications in the cloud even more secure than they were when they were on-premise," he says.

Rethinking Security in the Cloud
When migrating to platform-as-a-service (PaaS) offerings, organizations are looking at a reimplementation of functionality against cloud offerings, according to Dr. John Michener, chief scientist at Casaba Security.

"These can be quite secure, but there is a major potential gotcha: If they screw up within a corporation, the exposure may be corporate-wide. If they screw up an access settings in the cloud, the exposure is likely to be Internet-wide, Micherner says.

In addition, reliable standards have yet to be established, says Dr. David Brumley, CEO of ForAllSecure and a professor at Carnegie Mellon University. People are still trying to determine the best ways to ensure policies are in place.

"The security principles that have traditionally existed on the network are still critical in the cloud, but the cloud exacerbates age-old problems," he says. "Organizations still need to do access control and ensure the protection of data in the event that something does get in your system."  

The most successful organizations are rethinking how they perform security and moving to a combination of security as a centralized governance and tooling organization with security distributed within the development teams, according to Hubbard. "With that solutions need to fit into these modern deployments, straddling the needs of both security and application development," he says.

When companies migrate to software-as-a-service (SaaS) offerings from in-house hosted equivalents, they are unlikely to have significant security issues. This is why organizations should first migrate to appropriate SaaS implementations, such as Office 365, Salesforce, and SAP HANA, Casaba Security's Michener advises. "

I would expect organizations to keep legacy apps in-house or migrate them to [Internet-as-a-service] instances that are equally as convenient and economical, but custom in-house apps would be the target for PaaS migration," he says.

Keeping Up with the Business
In many organizations, applications were moved to the cloud before their security teams really knew what the threats in the cloud were. Now they're playing catch-up, while more applications are migrating. While doing so, organizations need to remember that security is not a "true" or "false," Brumley says. Companies are migrating to the cloud to increase accessibility and be able to iterate faster, but at the same time security will become more difficult simply by definition.  

To get ahead, it's important to build defense in depth and have a strategy in place, says Kory Daniels global director, iSecOps at Trustwave. "The organization should have a framework that allows an adaptive and agile mentality of identifying proper use cases," he says.

In addition, for each specific app, the security team needs to know what data exists on the app, who has access to that data, and what concerns are associated with moving that data. "If we have the ability to identify the key things we want to protect, then we look at our ability to ensure we have the proper controls in place to lock down data to the best of our ability without inhibiting business," Daniels says.

And because there's no way of truly knowing what all the threats are in the cloud, "it's important to have the people, process, and technology from detection and response to ensure that you can at least identify where the threats are being exploited," he adds.

Related Content:

Image source: blackboard via Adobe Stock


About the Author(s)

Kacy Zurkus

Contributing Writer

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, including CSO Online, The Parallax, InfoSec Magazine, and K12 Tech Decisions. She covers a variety of security and risk topics and has also spoken on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights