Chief Information Security Officers (CISOs) face the daunting challenge of securing the new world of cloud computing. Organizations feel pressure to rapidly migrate to the cloud, often without fully comprehending the security risks and complexities. In conversations with CISOs across many industries, I’ve noticed a cartoon physics approach to cloud security: The company is running off a cliff at full speed, but leaders are convinced they’ll make it to safety as long as they don’t look down.
My advice: Look down! Enter the cloud with eyes wide open to the reality on the ground. Follow the money, get familiar with cloud security controls, and figure out who in your company owns what.
How we got here
It’s understandable for CISOs to feel blindsided. After all, many of them grew up in the age of the “protect the perimeter” approach to network security. They maintain a checklist view of the world of security: Pick a framework (Cyber Kill Chain, NIST’s Cybersecurity Framework, etc.), follow the playbook, and everything will be as secure as possible.
Then the cloud came along and made those playbooks outdated. The cloud didn’t just change the plays CISOs need to keep a company safe — it changed the game they are playing. The on-premise methodologies CISOs grew accustomed to are no longer relevant. Instead of protecting one in-house perimeter, security leaders must now protect data across federated, shared, virtual infrastructure.
Many of the cloud’s security challenges become apparent only after you have the benefit of hindsight. So what are they? I’ll outline three areas CISOs should address first, when migrating to the cloud.
Follow the money
One of the most effective ways a CISO can get a handle on sanctioned clouds versus dark clouds is to, in the words of Deepthroat, follow the money. See who is spending what, and where.
The typical migration to the cloud happens organically, rather than strategically, as a few employees launch a “test case.” This seems innocuous enough at the time — the expense is incidental, the project isn’t mission-critical, no need to pass it by leadership. The danger comes when the test case expands, or multiplies, over a series of small steps that add up until finance takes notice and raises the red flag.
By definition, this piecemeal approach cuts out planning and governance. The CISO is cut out of the process and unable to shape the company’s approach. And we all know: You can’t secure what you can’t see, which is why it’s called “dark” or “shadow” IT.
CISOs should get comfortable working closely with finance and take part in budget conversations early and often. When finance receives a bill for cloud services, the security team should get a copy. It’s an effective way to help identify and map new infrastructure across the different lines of business — because the money is traceable. From there, CISOs can work directly with teams to develop long term management and governance procedures to secure cloud services.
Understand cloud security controls
If you’re a CISO, or on an IT security team, no doubt you are familiar with traditional security controls. But not all of these controls can easily migrate to cloud environments. Despite this, many companies charge ahead to migrate everything, with a plan of tightening up security later.
For example, if you have an on-premise full packet capture product, it probably doesn’t make sense to move it to the cloud. The same is true for that vulnerability scanner you’ve been using for years and love: Equivalent cloud-specific capabilities are already baked-in to most cloud platforms, making the migration unnecessary.
As many CISOs have learned, a wholesale transition of security controls from an on-premise environment to the cloud is neither practical nor efficient. This is starting to resonate, as 57 percent of CISOs claim they expected their cloud security budget to increase in the next 12 months. Security leaders need to figure out their cloud mapping strategy before making the first move. Take an inventory of the tools and solutions that are used on-premises and determine the cloud equivalent. When there is no direct equivalent, it’s the job of the CISO to find the right mitigation.
Identify ownership of cloud infrastructure
Ownership is one of the most important things to get right during a migration to the cloud. Before taking the leap, or even first step, CISOs should ask, “How is my team going to identify ownership of cloud infrastructures in the platform?”
To address problems with any computer infrastructure, employees need to know who to reach out to for help. For example, if there’s an Amazon Simple Storage Service (S3) bucket that’s insecure, who owns it? Or if there’s an out-of-control virtual machine (VM) that’s eating resources or leaving a sky-high trail of costs, who’s responsible? The VM might need to be scaled down or shut off completely because it’s not properly maintained, or it’s being abused, or it’s been compromised. How do you track down the owner? What if they’ve left the company? Does your firm have a solid mechanism to transfer ownership of cloud assets, when this inevitably happens?
On-premise computing environments have established systems in place: You know that Ralph owns server X in rack Y and is using it with Team A on project B. When the server has a problem — improper patch management, misconfiguration, or a possible compromise, etc., — employees know who to contact.
You need the equivalent of that process for cloud infrastructure. That means a good asset tagging strategy to identify ownership, and even better, to identify asset purpose. The purpose is a good indicator of the level of security controls that will need to be applied. You might have stronger authentication in place for systems housing critical data like customer identity, billing, and any personally identifiable information (PII); and a different approach to secure test systems that never house customer data. Bottom line: Anytime a resource gets spun up, it must be tagged.
Your goal as the company security leader is to keep infrastructure running and available, while maintaining appropriate levels of security. Today’s security teams must be proficient in governance — and advocate for it. Be vigilant about setting consistent, reasonable, and enforceable controls across the organization.
Upfront planning goes a long way towards this goal.