The headlong rush into the cloud continues to accelerate, promising increased efficiency, flexibility and security for IT operations. But chief security officers are not off the hook when it comes to fortifying the privacy and security of their organizations’ sensitive data. In fact, quite the opposite is true.
Over the past five years, cloud and security have largely been siloed, but more recently they’ve begun to converge as cloud and hybrid cloud infrastructures have grown in popularity. In addition, new DevOps strategies have created extra layers of complexity in the effort to speed up software releases and improve application quality.
When undertaking a cloud migration, it’s critical to remember that the security protocols that work in the enterprise will not necessarily work in the cloud. A cloud partnership with Amazon Web Services (AWS) or Microsoft Azure can provide high levels of security, so it’s a common belief that by adopting these mega-cloud platforms, IT departments will be more secure than by standing up their own on-premise infrastructure.
While that point is usually true, it is also the case that any strong security posture requires oversight of all people, processes and technologies. Too often, the “people” and “process” categories become areas that companies tend to downplay during a cloud migration. As a result, the most common vulnerabilities often affect the company side, not the cloud backend, when people and processes emerge as the weakest links in the overall security framework.
This is the dirty little secret about cloud migrations – namely, that too many CSOs and IT managers overlook the security fundamentals in the cloud.
Safeguarding the Fundamentals of Cloud Security
In working with clients on cloud projects across different vertical industries, we see similar patterns that recur over and over, whether it be in manufacturing, retail, healthcare, electronics or financial services.
When IT teams stand up a cloud platform on AWS or Azure, they sometimes assume that those cloud partners will ensure the full security of their networks. In addition, security pros are often eager to deploy the latest machine learning tools or artificial intelligence systems to tease out behavioral analytics for their customers. But in too many cases, such moves into AI and ML are jumping ahead of the security basics.
It’s crucial to realize how many people and processes within an organization remain vulnerable due to social engineering attacks and other nefarious hacking techniques. Passwords can get cracked. Personal phones can get compromised. Steps for authentication and mitigation might not be properly applied, or phishing attacks might penetrate security barriers due to human errors, not in any way due to the failures of AWS or Azure.
Just think back to a simpler time when it was taboo to leave a written password lying around on your desktop. That exposure was bad enough when limited to the people whom you trusted within your own building. But now imagine moving to the cloud where you might open yourself up to undiscovered botnets residing on new IoT devices. Or you could encounter hackers who embed malware into backdoor payloads that open when you click on an executable file, or when your employees download a new application from the Apple App Store. These types of scenarios are quite common, which means they should terrify security professionals and keep them up at night.
Therein lies the real danger of the cloud, which is somewhat like buying a new car but forgetting to lock the doors. Or it’s like stepping outside to take a smoke break and propping open the door to the company loading dock. What is to stop someone from just walking in and taking advantage of such easy access?
For this reason, more attention must be paid to the compliance frameworks that govern the behaviors of people and processes. At the very least, most compliance teams and risk officers could certainly use more funding and bigger teams to track all the relevant regulatory and risk environments which permeate their cloud stacks.
One final point stems from a recent challenge we faced with a client at a major healthcare organization. Their team worked for years to overcome process and compliance deficiencies stemming from a complex mix of managed service providers, cloud providers and in-house systems. What they discovered was this security challenge has no finish line. It is an ongoing journey that will never end.
The lesson here is that strong service level agreements (SLAs) cannot ensure ironclad protections against infiltrators. Even when working with trusted cloud partners and reputable MSPs, it is incumbent upon security leaders to perform their due diligence and audit all the work being done under the SLA.
Once a breach happens and you still consider it to be somebody else’s problem, your customers will not care about who is responsible for their lost credit card info or personal data – they will rightfully blame your company for the hack. Remember that you are not paying managed service providers to give you peace of mind. It is your duty to not only look out for the bad guys, but also to watch the watchers themselves and make sure that everyone does their part to effectively protect your organization’s data in the cloud.