Well, 2018 is not exactly “early” if you’ve just made the decision to adopt cloud architecture for your business’ infrastructure, storage, and software requirements. Cloud computing has been the most impactful technology upgrade for businesses for more than a decade now. It’s been a leveler of the playing field for all kinds of organizations, right from businesses to government agencies to nonprofits. Finally planning your cloud transition? Better late than never, anyway.
Now that you planning your cloud transition, it is crucial that you don’t learn your lessons the hard way. Digital security in the cloud-context is complicated. Thankfully, there’s reliable information out there, to guide you through the cloud transition phase in a manner that doesn’t compromise cybersecurity.
We’ve brought together some of these golden principles, rules, and practices of cloud transition in this guide.
Understand your cloud transition — totally
The nature of the cloud transition being undertaken by your organization changes a lot about the kind of risk assessments and security planning you need to do. Most companies prioritize workloads. Organizations tend to keep mission-critical workloads on-premises and move customer-facing applications and analytical engines to cloud. Also, if you choose multiple vendors, you must consider their security readiness, and how well they all fit into the security hub you want to create for your organization’s IT.
Understand the idea of ‘shared responsibility’
On-premises is a wholly different ballgame compared to the cloud. When you choose a public cloud vendor, you essentially choose a tech partner, which immediately makes “shared responsibility” relevant for you. The responsibility for ensuring digital security always rests with you (the business).
The questions you must be able to answer:
- Is the cloud vendor capable enough of handling my tech needs?
- Does the vendor understand industry-specific regulatory and compliance frameworks and offer robust security to meet them?
- What sort of mechanisms do I need to take control of the shared responsibility model?
There are no simple answers. However, a good starting point is the Cloud Security Alliance Cloud Control Matrix (CCM). The matrix helps you truly take stock of all security problems, questions, and considerations when you move to the cloud.
Critical question of interoperability
When your systems are transitioned to the cloud architecture, the security frameworks that lived all these years on legacy systems move too. The question to be asked is — does the cloud vendor support the same frameworks?
To make cloud transitions successfully from a systems’ security perspective, do not compromise on the level of granularity of the security. Sandboxes, firewalls, SIEMs, and a lot more — cloud will bring in a completely new galaxy of security controls, systems, and processes. As long as you get your single-pane-of-glass view of all security components — whether cloud or legacy — you’re in control.
Location of data
In public cloud architecture, your organization’s data will be stored in a server where the data of several other companies might also be stored. This creates anxiety for businesses, as commingling of data could spell a disaster for them. Though this co-location of data is a core pillar of the cloud architecture, it would be foolhardy to ‘let it be.”
Instead, you’d do well to talk it out with the vendor. The discussion should focus on getting answers to these questions:
- How does the vendor ensure that your data doesn’t commingle with that of another client?
- How does the vendor ensure that only authorized people have access to the data?
- What does the vendor do to ensure the data remains safe all the while it’s stored in a shared server?
Data regulations in your country are also important to consider here. For instance, some governments require organizations to store certain critical business data only on-premises. Also, there could be geographical restrictions to comply with, pertaining to the server location of the cloud vendor.
Get penetration-testing controls
Most cloud vendors allow penetration testing via APIs. However, it’s important to ask and be absolutely sure of this, because you need penetration testing to be able to ensure the security of virtual containers with the cloud.
Cloud vendors are known to offer tools that help organizations take complete control of penetration testing. The most important ones to check are cloud access security brokerage (CASB) and hypervisor. CASB offers deep-rooted insights into the state and health of your data on the cloud. Hypervisor scales up and automated network functions to offer granular administrative controls as you move workloads to the public cloud.
Think hard about disaster recovery
What if the cloud vendor’s systems suffer a serious downtime? Fiscal penalties are not the end of the discussion here. You need to make sure that your business is prepared and continues to operate even when catastrophe strikes.
- Ask the vendor as to what business continuity and disaster recovery mechanisms they have in place?
- Ask your internal IT to prepare plan B – that is, disaster recovery without dependence on the cloud vendor.
- Know which workloads you need to provide for as “most urgent” when cloud systems suffers downtime.
- Make offline backups of important data periodically, so that your business managers and executives have the data available to be able to sustain business operations.
Applying DevOps to cybersecurity
Public cloud’s agility is one of the major business cases for organizations to ditch on-premises in favor of cloud. However, if security teams fail to upgrade their practices, they could dilute these benefits. Consider a situation where a developer spins up a server within minutes but then has to wait 10 days for the security team to sign off. To prevent this, companies need to apply DevOps principles to cybersecurity, and make available highly automated security services for the developers.
Security is ultimately up to you
The reality is — the responsibility of security of your data and applications always rests with you. Even though public cloud vendors offer the most robust mechanisms for security upkeep, you need to stay in control, always. While managing the transition of workloads from on-premises to cloud, make sure you revisit this cloud transition guide and ask the right questions to get the right answers.
Featured image: Shutterstock