Security Isn’t Harder In The Cloud. It’s Just Different.
There are three key areas where the impact of moving to the cloud is most significant:
- The cloud lives outside your perimeter. By its nature, the cloud lives outside of your perimeter. Efforts to pull the cloud into your perimeter can nullify many of the benefits that brought you there in the first place. You must re-architect user and resource authentication and access control systems, extend or move monitoring systems, and establish additional security controls to address concerns like multi-factor authentication and remote access.
- Horizontal teams have wide access to define security. Agile development has shifted many functions from vertical to horizontal teams, a trend dramatically accelerated by the DevOps and cloud movements. As a result, functions that were traditionally implemented by IT or InfoSec are now being implemented by cross-functional teams that are accountable to product owners. In most cases, the access policies that govern how cloud resources can interact with each other and the outside world are defined by development teams. As a result, the traditional roles of IT and InfoSec must change from implementation to governance and enablement. This need to change catches many mature organizations off guard as the standardized processes and shared infrastructure they have invested heavily in are cast aside for new process and infrastructure built from scratch.
- Integrating into existing security architectures is difficult. Moving workloads to the cloud requires rethinking how those resources will communicate security and audit information back to in-house systems — if they exist at all. The cloud has entirely different security metrics on which to monitor and alert. The perimeter becomes very fluid, requiring tools that monitor your perimeter to be able to dynamically learn what that perimeter is at any given moment. And dozens of different resource types — not just servers and storage anymore — each have unique properties and corresponding best practices that contribute to your overall security posture.
While these are significant challenges, they do not erase the investment you’ve already made in strong security over the years. But they do require a shift in mindset and adapting existing processes. Effectiveness in that shift is crucial. It is rare that security gets the time and budget it deserves, and a cloud migration stretches that even further. Acknowledge this and prioritize relentlessly, avoiding investments in security initiatives that do not directly prevent or reduce detection time from an attack.
The following guidelines will help ensure your security efforts are prioritized correctly:
- Empower but use guard rails. It is difficult to constrain a cloud platform to leave power in the hands of InfoSec and IT. Doing so can neuter the effectiveness of a DevOps team. But it is imperative to maintain security posture and enact security controls. The solution is to create guard rails, setting expectations and requirements on your product teams. Invest in processes, tools and governance programs that can support teams without creating undue burden on them. And leverage cloud resources for monitoring and enforcing those.
- Rethink security monitoring systems. Traditional SIEMs, IDS appliances and other security devices have analogous versions in the cloud, but they’re often even more expensive and offer little additional functionality. Most cloud resources have rich security capabilities built in and in many cases can deliver high-quality security events without the need for additional correlation. Rather than trying to flow all of your cloud resources through a SIEM, leverage the cloud platform’s security monitoring capabilities to their full capability, delivering actionable alerts directly to your incident response tool.
- Automate something, then everything. Because cloud workloads can be entirely defined through code, they lend themselves well to all manner of automation. Security is no exception. Trigger automated responses to unexpected events, such as closing ports, blocking IP addresses or even proactively replacing instances that might have been compromised. The problem with automation is that it is intimidating. It can be difficult to know where to start, and so many organizations never get started. While relentless prioritization is the maxim of good cloud security, this is an area where just starting somewhere is better than starting nowhere. And it is an area in which your InfoSec and IT teams can help, creating easy-to-adopt security libraries that your product teams can effortlessly wire into their existing code.
- Make security a collaboration. While cross-functional teams are here to stay, standalone InfoSec and IT functions still have a vital role in the cloud. Too often, the dynamic can be combative, with product teams feeling bullied by mandates from disconnected teams that don’t appreciate what they’re dealing with on a daily basis. The only way to overcome this is to make security collaborative, adopting a mindset of empowering teams to have better capabilities without additional burden. Security teams that focus on empowerment become an asset to product teams.
- Avoid cloud security tools and keep your powder dry. There are hundreds of cloud security tools that can solve every niche problem imaginable, usually for a “small” percentage of your overall bill. While many of these tools are not without merit, they’re often entirely unnecessary for teams beginning their cloud journey. Instead, use existing resources where they make sense and focus on good security posture. Leverage your cloud platform’s native security tools and practices to the fullest extent possible. They’re typically free. Additional tools may be appropriate down the road, but save your budget now and wait for the need to more clearly emerge.