Partner Perspectives  Connecting marketers to our tech communities.
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly

Journey to the Cloud: Overcoming Security Risks

Lessons learned from a global consultancy's 10-year transition from on-premises to 99% cloud-based infrastructure.

Let me share with you the story of a large, multinational technology consultancy's migration from on-premises to 99% cloud-delivery infrastructure and applications. The transition began a decade ago with an email upgrade. The firm found it difficult to expand their physical server room so it moved to a cloud-based e-mail application. It took some work to find the right vendor and the right solution but, in the end, the company saved money, and soon added cloud-based CRM as well.

Because the consultancy was also growing crazy fast, officials needed to quickly add capacity. Soon they looked to the cloud for every new upgrade and app rollout. Their first true cloud environment was nailed up via an IPsec VPN to an early cloud player in the infrastructure-as-a-service (IaaS) business. They put a virtual Active Directory server up in the cloud to manage authentication, authorization, and accounting (AAA), and things just took off.  As this grew, they found they could deploy databases, web servers, applications—whatever the consultancy needed. The capacity was there with many of the security tools they were familiar with already.

One of the consultancy’s biggest security concerns was uptime, which they solved by finding a strong cloud vendor. Disaster recovery (DR) and business continuity are always big challenges, especially for a globally-dispersed and fast-growing organization like they had become. The trick was to make sure their cloud providers could match their requirements. This meant taking a lot of time to review contracts and service level agreements (SLAs) at the outset, and then holding the providers’ feet to the fire when promises did not match reality.

SLAs and Access
Management understood that a bad cloud provider could negatively impact uptime if the providers' expectations are different from their own. For example, most organizations know how good or bad their own DR capability is, but for a cloud provider, it can be a mystery. Also, some interesting problems can creep through the cracks in ways you don’t expect. Having short outages of just several minutes randomly throughout the workday can be worse than one big long outage. This is especially true for non-real-time services like email, where you might not notice when messages aren’t getting delivered. However, some cloud provider SLAs are written to cover longer outages rather than the short ones, so it's important to read carefully. This is especially true with platform-as-service (PaaS) cloud providers who are serving a single application and the vendor is more a niche (and therefore smaller and possibly weaker) player.

For the consultancy, managing access to their cloud was also a challenge, especially since they employed a mix of consultants and developers. Many people needed a wide range of access capabilities, and many needed full access to their own boxes. For this they turned to role-based access control to ensure people got what they needed on only the systems they needed and nothing else. Luckily, powerful security tools are available to do this. As needed, the consultancy can require multi-factor authentication (MFA) at the beginning of a session and then turn that around into single sign-on to ease access throughout the user workflow. This was especially helpful for those with elevated access as they could strongly authenticate them right off the bat.

Detection & Monitoring
As for detective and monitoring security tools, most large IaaS vendors provide virtual networking capability, which the consultancy tapped for packet capture and analysis. PaaS vendors are used differently, but most provided detailed audit logs on user logins and actions which they needed for audit purposes. Some large IaaS vendors also provided additional monitoring alarms to help with pesky things like developers accidently dropping authentication credentials into public code repositories.

One major challenge for the consultancy was dealing with different cloud environments. Some cloud vendors who have multiple offerings can have different knobs and gauges for their varying services. The consultancy’s security operations team would learn how to lock down and monitor something in one service area, only to find that things worked much differently in another.

Then there are the frequent upgrades within the service, which can change the look of a console or add new features. Even within the same cloud provider, it can be like managing security for different applications and environments. This can lead to complexity and security blind spots. It gets even more difficult when there is a mixture of different cloud vendors. To this day, there are likely additional security capabilities that the consultancy hasn’t taken advantage of yet because they haven’t had the time to learn them. To help with this, it’s best to ensure that someone on the enterprise security team attends cloud provider training sessions and conferences.

Compliance: The Last Big Challenge
Commonly, most cloud providers certify their platform up to a certain level and then from there, you need to deal with additional risk and compliance requirements. Cloud providers don't cover it all. That boundary and the accompanying responsibility is sometimes misunderstood by newcomers or executives. All things being equal, a non-technical person will just assume because XYZ Cloud has passed a particular audit, they think they’re done with security and they can rest. That’s almost never the case.

Overall, the consultancy’s journey to the cloud has been a game-changer. The lessons they learned made them a better and more valuable organization for their customers. And their security program has grown stronger.

Get the latest application threat intelligence from F5 Labs.


Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit
Featured Writers
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.