Using the cloud can bring many business benefits: speeding IT deployment, improving productivity, providing financial incentives, and overall agility. However, it also creates new attack surfaces, exposing the entire organization to security threats.
The use of cloud services is increasing and increasing. In 2017, two-thirds of companies were already using cloud computing (compared to 54 percent in 2015). At the same time, network environments become more complex. Modern IT infrastructures use both private cloud and public cloud storage platforms to meet the demands of IT.
Public cloud and private cloud services pose challenges, especially for the Chief Information Security Officer (CISO). He needs to keep pace with new technology and engage multiple vendors to meet the diverse needs of each department, all while taking into account the associated security risks to the business. IT security managers are aware that achieving corporate goals depends on adherence to security policies across all levels of IT, including the cloud. For this, it is important to observe general best practices.
It is a problem that cloud services are often deployed without the knowledge of the IT department, circumventing security policies that can endanger enterprise security. A Gartner study indicates that by 2021, 27 percent of all corporate traffic will bypass traditional security controls and flow directly from mobile and handheld devices to the cloud. This brings CISO’s sleepless nights and does its job to secure and manage the use of different clouds across the enterprise, complex and a trial of patience; And to make things even more complicated from a security perspective, many CISOs lack insight into the company’s networks, and clouds that they can use to identify and address risks.
What challenges do CISOs have to face in order to assess the security risks associated with moving to the cloud and, if necessary, provide appropriate controls?
Increase the visibility
While most companies already use private, public cloud or hybrid networking technologies, one of the biggest challenges facing CISOs is the visibility of cloud environments with limited visibility. This lack of transparency and clarity is also due to the often unclear responsibilities for the virtual infrastructure in public cloud services in companies, which are often managed by different IT teams. The use of public clouds makes networks ever more significant, more complex and subject to constant change. Therefore, security policies are needed that do not stop at platform and technology boundaries.
For IT security experts, cloud security is a continuous process. For many organizations, getting the same visibility into cloud-based workloads, they are used to from traditional networks is more difficult. Proper management of data is key: CISOs should know where information is shared and stored, and what cloud services the company uses. For example, while one department uses Dropbox, the other could use collaborative tools like Slack to share files. Regardless of who collects the data or where it is stored, services such as file storage and file sharing must be well documented and protected given the requirements and penalties for non-compliance with the EU Data Protection Regulation (EU GDPR).
Companies often choose to migrate their on-premise systems to the cloud over time-a kind of “first-to-toe-dip” approach to adopting a public-cloud platform-or they migrate to a private cloud (or Hybrid network) to maintain a supposedly higher degree of control. Regardless of the choice of the cloud provider, one problem is that cloud migration adds complexity to enterprise networks. The transparency and control of the networks are further complicated by increased east-west traffic. To seamlessly map and merge the management of these platforms, avoid disruption to business-critical applications, and facilitate the management of different tools.
Without proper insight, CISOs will not be able to enforce consistent measures to mitigate risk. Traditional security controls, such as firewalls and intrusion detection systems, work effectively within an organization’s own four walls, but continuous administration becomes difficult as additional tools are added to cloud usage. It’s essential to have an overview and management across the network through a console, so organizations can overcome the lack of visibility and transparency that is often associated with cloud usage. In addition, they can simplify the management of security policies across multiple tools to reduce risk and ensure compliance with corporate policies.
Visibility can also be improved by risk assessing the cloud services used. This should include an assessment of whether a particular service has recently been affected by a data security incident, whether data is encrypted, and whether the system is being patched or configured to counter complex threats.
As the process of moving data from a company’s internal systems to the cloud, organizations need to scrutinize how the data is stored to comply with laws and industry regulations. This raises a whole series of questions for security experts: where is the data stored? Who is responsible for that? Who has access to it and can it be controlled? How safe is the cloud platform? Has this been configured effectively and securely?
The types of data that organizations use vary – intellectual property, billing information, personal information – and each data type must meet specific regulatory requirements. For example, the Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for companies that handle card data. Especially with regard to the EU Data Protection act, data must be classified, and organizations must understand what data is in the cloud and what retention requirements exist. Organizations also need to know how and where data is protected and secured, and who can access it.
Win the control (back)
The complex IT environments that CISOs are today involve many different endpoints, including mobile devices, smartphones, tablets, and desktops. End users choose different cloud providers, but many of the features that make cloud-based applications so attractive, such as synchronization, sharing, and simplicity of collaboration, also put businesses at risk for cloud use at the same time.
To secure these hybrid environments, CISOs should gain control over the security configurations of the cloud. Best practice is about developing a single security policy with a detailed snapshot of the entire network, the definition of the data type and the specification of the appropriate measures. Because when companies can quickly and adequately implement policies – regardless of the environment – they gain control and agility.
Organizations and companies should control who has access to specific records. If an employee leaves the company, it must be ensured that their access authorizations are revoked. Because there is a risk that former employees still have access to information that is in the cloud.
Organizations need an uncomplicated way to bring together infrastructure, people and processes. A single interface that can manage security policies and configurations across the network is the answer. As the cloud grows, it is important for organizations to follow the best practice to make the experience of the cloud as safe and enjoyable as possible. Because the unpleasant alternative is to leave infrastructures unprotected against security threats.