Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly

Journey to the Cloud: Overcoming Security Risks

Lessons learned from a global consultancy's 10-year transition from on-premises to 99% cloud-based infrastructure.

Let me share with you the story of a large, multinational technology consultancy's migration from on-premises to 99% cloud-delivery infrastructure and applications. The transition began a decade ago with an email upgrade. The firm found it difficult to expand their physical server room so it moved to a cloud-based e-mail application. It took some work to find the right vendor and the right solution but, in the end, the company saved money, and soon added cloud-based CRM as well.

Because the consultancy was also growing crazy fast, officials needed to quickly add capacity. Soon they looked to the cloud for every new upgrade and app rollout. Their first true cloud environment was nailed up via an IPsec VPN to an early cloud player in the infrastructure-as-a-service (IaaS) business. They put a virtual Active Directory server up in the cloud to manage authentication, authorization, and accounting (AAA), and things just took off.  As this grew, they found they could deploy databases, web servers, applications—whatever the consultancy needed. The capacity was there with many of the security tools they were familiar with already.

One of the consultancy’s biggest security concerns was uptime, which they solved by finding a strong cloud vendor. Disaster recovery (DR) and business continuity are always big challenges, especially for a globally-dispersed and fast-growing organization like they had become. The trick was to make sure their cloud providers could match their requirements. This meant taking a lot of time to review contracts and service level agreements (SLAs) at the outset, and then holding the providers’ feet to the fire when promises did not match reality.

SLAs and Access
Management understood that a bad cloud provider could negatively impact uptime if the providers' expectations are different from their own. For example, most organizations know how good or bad their own DR capability is, but for a cloud provider, it can be a mystery. Also, some interesting problems can creep through the cracks in ways you don’t expect. Having short outages of just several minutes randomly throughout the workday can be worse than one big long outage. This is especially true for non-real-time services like email, where you might not notice when messages aren’t getting delivered. However, some cloud provider SLAs are written to cover longer outages rather than the short ones, so it's important to read carefully. This is especially true with platform-as-service (PaaS) cloud providers who are serving a single application and the vendor is more a niche (and therefore smaller and possibly weaker) player.

For the consultancy, managing access to their cloud was also a challenge, especially since they employed a mix of consultants and developers. Many people needed a wide range of access capabilities, and many needed full access to their own boxes. For this they turned to role-based access control to ensure people got what they needed on only the systems they needed and nothing else. Luckily, powerful security tools are available to do this. As needed, the consultancy can require multi-factor authentication (MFA) at the beginning of a session and then turn that around into single sign-on to ease access throughout the user workflow. This was especially helpful for those with elevated access as they could strongly authenticate them right off the bat.

Detection & Monitoring
As for detective and monitoring security tools, most large IaaS vendors provide virtual networking capability, which the consultancy tapped for packet capture and analysis. PaaS vendors are used differently, but most provided detailed audit logs on user logins and actions which they needed for audit purposes. Some large IaaS vendors also provided additional monitoring alarms to help with pesky things like developers accidently dropping authentication credentials into public code repositories.

One major challenge for the consultancy was dealing with different cloud environments. Some cloud vendors who have multiple offerings can have different knobs and gauges for their varying services. The consultancy’s security operations team would learn how to lock down and monitor something in one service area, only to find that things worked much differently in another.

Then there are the frequent upgrades within the service, which can change the look of a console or add new features. Even within the same cloud provider, it can be like managing security for different applications and environments. This can lead to complexity and security blind spots. It gets even more difficult when there is a mixture of different cloud vendors. To this day, there are likely additional security capabilities that the consultancy hasn’t taken advantage of yet because they haven’t had the time to learn them. To help with this, it’s best to ensure that someone on the enterprise security team attends cloud provider training sessions and conferences.

Compliance: The Last Big Challenge
Commonly, most cloud providers certify their platform up to a certain level and then from there, you need to deal with additional risk and compliance requirements. Cloud providers don't cover it all. That boundary and the accompanying responsibility is sometimes misunderstood by newcomers or executives. All things being equal, a non-technical person will just assume because XYZ Cloud has passed a particular audit, they think they’re done with security and they can rest. That’s almost never the case.

Overall, the consultancy’s journey to the cloud has been a game-changer. The lessons they learned made them a better and more valuable organization for their customers. And their security program has grown stronger.

Get the latest application threat intelligence from F5 Labs.


Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).