People have been talking about making the transition to the cloud for more than a decade. The day that happens is no longer in the future: It's here now. More businesses than ever use multicloud environments to handle an increasing number of workloads as well as software-as-a-service applications for their core business processes. This shift brings cloud security to the forefront — and it's time for a fresh look at securing business in the cloud.
From a security standpoint, the cloud adds an extra layer of complexity on top of managing an increasingly mobile and demanding workforce. The old ways of building a rigid, static wall around our on-premises IT assets don't work for the cloud. Securing it requires a much more comprehensive approach.
Some IT professionals make the mistake of thinking basic cloud security is good enough. But there's a reason cloud data leaks continue to make headlines. One example: In 2019, a hacker gained access to around 100 million Capital One customers' accounts and credit card applications via a misconfigured Web application firewall. The fact that such a breach could occur the way it did means there's still something even the largest companies are missing.
But what is it? After speaking with CISOs, CTOs, and chief data officers, it's clear to me that we're still not speaking the language of cloud security in a way everybody can easily understand.
In addition, clarity is missing on who owns what part of cloud security and who is doing the necessary work to maintain it throughout the organization. It doesn't help that there is hidden or abstracted complexity in cloud platforms that's difficult to account for at all times. Combined with the rapid pace of technology change in general and the pressure that comes from the "push to production" in typical organizations, these factors all add to the overall risk we face in the cloud.
Here are three steps to consider that will make sure your cloud security is as modern as your business:
1. Converge Your People
Align your IT decision-makers and your IT organization around an end-to-end view of infrastructure security and information protection that includes cloud environments. Start by standardizing the language used to discuss cloud and data security. It's the first step in furthering your organization's collective understanding.
Ongoing training also plays a role. Properly educated employees and users form a foundational piece of your security "stack," since they often serve as a first or potentially last line of defense. Instilling the idea that everyone plays a role in a security protection chain is vital because any disconnect within or between an organization's IT teams or employees can create exploitable gaps.
2. Converge Your Services and Tools
There's an interesting phenomenon regarding tools. CISOs are rightfully trying to reduce the number of diverse tools they have to manage. But on the cloud development side, there has been an explosion of tools and services being built for specific purposes. While many of these are consumed as managed services, they introduce a new demand on resources and potentially can increase risk. This is likely to continue until we see simplification and convergence.
As such, most CISOs are always looking to replace point solutions with integrated and converged security platform solutions. Seek platforms that provide security in the following areas:
- Data loss prevention (DLP)
- Endpoint protection
- Network security (firewall-as-a-service and Secure SD-WAN)
- Cloud security (cloud access security broker, or CASB, and Certified Security Project Manager if you deploy your own code)
A converged platform allows deployment of consistent policies across all levels and locations of your organization, and, importantly, it simplifies security management and gives data flow level visibility across your organization (from endpoint to cloud via the network). It also allows for real-time updates and responsiveness to changes in the organization and regulatory environment. GDPR and the California Consumer Privacy Act are just the beginning. As additional privacy regulations roll out, new policies will need to follow. Preparing for these is a must for most CISOs and data protection officers.
Modern cloud security incorporates solutions for a growing list of requirements: DLP, Web security, CASB, next-gen firewalls, elements of trust, etc. These should be complemented by behavioral analytics in order to apply the right level of user access controls across changing and disparate systems. Indicators of behavior, or IOBs, are the modern way to look at how users interact with company data, systems, and apps.
That's why today's cloud security requires utilizing converged services. Leveraging converged services is key to consolidating the number of tools in your security arsenal for maximum effectiveness and reducing operational burden.
3. Plan for a Data-Fluid Future
There's no way to put the genie back in the bottle. Cloud adoption will continue to accelerate because of the benefits it provides: cost and efficiency gains for businesses while offering employees flexibility to get work done wherever they are.
But adopting the cloud means your organization's data moves between users, apps, and cloud environments in more dynamic ways. All of this requires a data-centric approach to security protocols. Deciding to migrate workloads or adopt new cloud applications is the easy part; maintaining the right level of corresponding permissions and policies won't happen without a clear cloud security and information protection strategy.
Consider making changes to how you test your security framework. For example, in the past, penetration testing once a month might have made sense, but rapid alterations to cloud-based apps usually requires more frequent checks to ensure new vulnerabilities or attack surfaces are addressed.
There's no magic bullet for getting cloud security right. Take a comprehensive approach to better protect your organization. Security hygiene is still a must, but also look at your risk posture through a data protection lens and implement DLP and behavioral analytics. Endeavor to give everybody who touches data and the cloud a common language of cloud security they can all understand. And stay on your toes — the future is only getting cloudier.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "SSRF 101: How Server-Side Request Forgery Sneaks Past Your Web Apps."