Cloud adoption is now ubiquitous in almost all organizations – from the smallest startups to the largest of global enterprises. To maintain relevance, let alone be able to grow in the changing technological landscape, your organization needs to embrace this transformation even with the complexity it entails.
At the same time, cybersecurity risks are ever growing as incentives multiply for malicious actors to steal your data and attack your services. The cloud offers natural security advantages against these threats since major providers can apply massive economies of scale to secure the underlying infrastructure. However, since cloud adoption is massive and because the cloud allows for much greater integration, cloud assets are visible targets with unique vulnerabilities.
Calling cloud security a major challenge is an understatement. But with the most basic of foundations, you can take cost effective steps to make your assets far more secure and far better controlled. Here are five steps you can take to secure your cloud assets:
1. Account for What You Have
Contemporary software and services that an organization may purchase are increasingly offered as a Software as a Service (SaaS) model, and new business missions are more often beginning life in cloud infrastructures since the time from inception to life is FAR faster. Even if your organization has not officially adopted a cloud first policy, or a cloud at all policy, natural growth within your organization will result in you having assets within the cloud. Don’t be in denial, and instead take account of everything your organization is doing in the cloud, even if previous growth was unofficial in the past.
2. Develop a Roadmap
Unsponsored cloud growth within an organization leads to an ad hoc garden of technology weeds. Governance is applied inconsistently and unmonitored security gaps leave wide holes in your organization’s protective front. Instead, develop a comprehensive plan of what new cloud services you will need to purchase and develop a migration timeline for your existing applications. Migration priorities are not always easy to determine but it is generally best to move your least-critical applications first and move the most critical last. While multi-cloud solutions are inevitable in large organizations, limit the number of providers to as few as possible to simplify your environment as much as possible.
3. Divide and Conquer
Infrastructure as a Service (IaaS) is typically provided by vendors in a discrete manner such as a subscription or an account, and you need to get the size and scope of your subscriptions and accounts right for this to be successful. A cloud infrastructure without proper planning can aggregate too many assets in one place, or isolate resources too far apart in a way that makes them ungovernable.
A delicate balance must be achieved between resource integration and resource separation. An organization’s cloud resources should be isolated enough to prevent one accident or one intrusion from harming everything, but at the same time, resources must also be centrally monitored to detect and prevent such failures and attacks.
Scope will be slightly different for each organization, but there are best practices that apply to all. Host each unique function in its own subscription or account such as administrative, security, production, development and test resources. Link accounts only through the minimum needed ports, protocols and endpoint. And, use the administrative and security accounts and subscriptions to centrally control and monitor the rest.
4. Start with Security First
Since working within the cloud inherently means your organization is embracing a newer approach, start fresh and begin with security. Understand what security procedures, configurations and software you will need to implement, and set it up before moving your business workloads. This prudent step will save time overall and cut the costs needed to secure your environment.
Even more importantly, architect your cloud implementation to meet current and future security requirements and regulations. While this step is more work upfront, it will cut development time tremendously overall, lower costs over the long term, and put your organization in a better position to compete or operate in an increasingly regulated environment compared to peer organizations.
5. Prepare for DevOps
Cloud infrastructures, by their nature, require a DevOps approach to realize the associated cost savings. Trying to apply an on-premises mentality to the cloud either fails to realize the economies of scale, or just does not work at all with contemporary deployment pipelines. And don’t think a week long “dojo” training course will fix this problem. If your organization is not currently embracing DevOps — as in, your development and operational teams have an excellent, healthy, and working relationship –then long term investment in and nurturing of this relationship is a must.
A Little for a Long Journey
While these steps to achieve a governable and secure cloud are very basic, even large organizations with millions of dollars to devote towards cloud security often fail to do them. But, if your organization does engage in basic cloud planning and guidance, you will be ahead of even those who prepare less but spend far, far more.
For more information about Telos’ cloud services practice, visit: https://www.telos.com/cloud-services/
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.