Cloud migration, cloud adoption and cloud-first strategies are top-of-mind business initiatives at many large enterprises. With organizations expecting as much as 80% of their IT budgets to be allocated to cloud solutions, cloud security considerations are front and center. In fact, 47% of organizations that had just begun their cloud journey said security was the primary reason they had not engaged in cloud migration previously. So what should IT teams be thinking about to mitigate risk when moving forward with a cloud migration strategy?
The clearest way to inform a cloud security strategy is simply to ask, “What must we protect?”
One of the cloud’s great benefits is that much of what IT organizations previously managed locally (i.e., service reliability, availability and scalability) is now natively addressed by the cloud service provider (CSP). This native set of capabilities includes specific security protections as well; for example, most CSPs can provide denial of service (DoS) prevention due to the sheer size of their distributed infrastructure.
But where cloud security can get unwieldy is when there is shared management responsibility with another organization. For example, while Microsoft Azure can provide an extremely reliable and secure SQL Server instance, it is incumbent upon the IT organization to write secure applications. SQL injection attacks can still happen if the application does not properly validate input. User credentials, including privileged database administrator accounts, can still be compromised if the organization does not have adequate identity management and privilege access controls.
Thus, the first step to building a cloud security strategy is to focus on those areas of primary and shared responsibility. As noted in our article “Don’t Let the Cyber Skills Gap Slow Your Cloud Adoption,” security management responsibility depends on the type of cloud model used. The following table can help businesses identify what to protect.
Prioritize Efforts by Following the Data
It may be all well and good to know what you must protect, but where should you prioritize your efforts? The common answer offered by most security consultants is to follow a risk-based approach: Assess the risk and likelihood of compromise, and measure impact across various security controls. While a cloud security assessment is always beneficial, businesses can simplify the thinking around a cloud security strategy by following the data.
At the heart of any cloud migration strategy is application data. By focusing on the data and everything the data touches (applications, processes, users, etc.), businesses can form a data-centric cloud security strategy.
Here are some recommendations:
- Encrypt data at rest. This includes both files and data stores. While this is a standard data protection control that should be deployed throughout the IT estate, it is especially important in third-party environments. A breach is bad, but theft of unencrypted data can be catastrophic. Build data encryption into your cloud resource orchestration rather than as a separate post-provisioning step. Consider that RedLock’s Cloud Security Intelligence found the average lifespan of a cloud resource is only 127 minutes, and that 82% of databases in the public cloud are left unencrypted. Ensure your data is encrypted, always, by default, from cradle to grave.
- Own your own keys. Cloud service providers allow you to bring your own key (BYOK), which guarantees that you, and only you, have the ability to decrypt your data. Owning your own keys also enables flexible management, such as segregation of duties for operators and auditors, separate keys per tenant, provisioning, deprovisioning and key rotation. This will require a strategy around key management, security of and backup of the key management environment itself. Fortunately, most enterprises should already have key management infrastructure as part of their corporate security controls. If yours does not, this is a good place to start.
- Control access to the data. Implement granular access control for your users within your applications. Deploy privileged access management (PAM) for all administrative users, application and service accounts, especially those with access to data. PAM can implement least privileged controls, white-list specific commands by user or application, provide a full audit history, and isolate stolen credentials to minimize the impact of a breach. Cognizant’s PAM-as-a-service solution provides automated threat detection with machine learning to detect suspicious privileged access activity. In short, know who has access to which data, and monitor when they access it.
- Monitor everything that interacts with the data. Enterprises with a security monitoring strategy in place can find it difficult to extend monitoring to the cloud, often instead relying on native CSPs that monitor for threats. Unfortunately, the CSP’s monitoring is often limited to more general threats, such as network activity between instances, and does not focus on application abuse, user activity, policy misconfiguration or suspicious behavior such as data exfiltration from a compromised account or malicious insider. At its foundation, a cloud migration security strategy should monitor for threats across any attack path that can intersect with data.
Creating a security strategy around your cloud migration initiatives is a complex journey. By building a strategy centering on data as its focal point, businesses can examine all the processes, people and applications that interact with their data. Using this approach, businesses can develop a successful strategy on what to protect.