During the course of my travels, there is one topic that comes up in nearly every meeting I attend: organizations moving to the cloud. Whether we like it or not, cloud migration is upon us, and the pace at which it is occurring seems to increase with each passing day. Many organizations I work with have already moved a number of business functions to the cloud, are in the process of doing so, or are seriously evaluating or planning for a move in this direction.
From a business perspective, this is not surprising. The cloud provides the attractive benefits of both lower cost and greater business continuity to an organization. Not surprisingly, it can also introduce additional risk. Of course, as security professionals, our primary duty is to mitigate unacceptable risk to the business.
But in the case of a move to the cloud, security managers won’t win any friends or influence any people by fighting what is shaping up to be one of the biggest business transformations in recent history. Better tofocus on understanding the risk that a move to the cloud presents, with the ultimate goal of understanding how best to mitigate that risk. What are some of the additional risks that an organization faces in the cloud? While not an exhaustive list, here are a critical four:
- Explosive variety: Sensitive, proprietary, or confidential information becomes accessible from nearly everywhere and every type of device. That means we need to think about protecting that critical data wherever it may transit or rest, even if that means thinking about doing so on a record number of different “endpoint” platforms.
- Limited visibility: The move to the cloud takes us out of the traditional confines and telemetry collection ability of the enterprise network. Because of this, visibility across the wide variety of endpoints for logging, monitoring, and auditing purposes becomes critical. Otherwise, we don’t have the ability to see what’s going on outside of the enterprise, which is where many newer endpoints live most of the time.
- Weakened detection: Even the best, most precise, highly tuned alerting content cannot facilitate detection if there is no underlying data supporting it. Limited visibility means weakened detection, unfortunately.
- Impeded response: Even if I have good visibility and detection across my cloud environment, I still face response challenges. If an endpoint (of any variety) becomes compromised, I need to contain and remediate the compromise. But what if that endpoint is on the other side of town, the other side of the country, or halfway around the world? Today’s mobility means that I need to think about how I will contain and remediate compromise in an environment where endpoints are nearly always on the move.
Risks & Challenges
The move to the cloud creates interesting challenges for security organizations, not the least of which is learning how to work more collaboratively with the business. This is important to ensure that security operations retain our ability to operate (and respond to iincidents as the environment changes. This is a bit of a philosophical change from our role in the past, but it is one we are going to need to get used to. Here are my thoughts on how to maintain continuity in security ops and incident response in this rapidly changing environment
- Visibility: Again, visibility is one of the first and most serious casualties of the move to the cloud. Do we have the necessary visibility into the various endpoints where critical data transits and resides? If not, this is something we need to think about across all types of endpoints (laptops, thin clients, tablets, smartphones, etc.).
- Access: Can we get our service providers to grant us access to our log data? Do we have the necessary access to the endpoint? Both of these will help us prevent our detection from being weakened. In addition, they can also help us tremendously during incident response. What exactly happened and when? Do I need to contain and remediate one or more endpoints remotely? Access to the right data is the key to answering those questions.
- Controls: It will be important to implement a reasonable set of controls across a wide variety of endpoints. If we remember the amount of coveted data that transits these devices, we can easily see why we want to maintain as much control as is feasible without significantly impeding business operations. There is significant room to improve here, given where we are currently.
- Agreements: Do we have the right agreements in place with our service providers come response time? If we need to respond to an incident involving one or more of our outsourced business functions, do we have the necessary procedures, relationships, and access in place to do so? If not, this is something to think about as well.
Fighting the move to the cloud is a losing battle. But that doesn’t mean we have to throw our arms up and give up on mitigating risk through other means. What the attackers are most often after is our sensitive, confidential, or proprietary information. When we shift our risk mitigation focus to protecting that data, regardless of where it transits or resides, it allows us to devise a strategy to continue to operate in today’s rapidly changing environment. Even in a business world dominated by the cloud, we can still accomplish our strategic security objectives. We just have to change the way we play the game a bit.