Working in information security is sometimes an arduous and thankless task. By the time people have a grasp of basic security best practices, the landscape has shifted and those same tools and techniques no longer work—at least not as effectively. That is the scenario we now face when it comes to cloud security. Organizations are rushing to take advantage of the cost and operational benefits of cloud computing, but many don’t understand that their security must be adapted as well.
I spoke with Tom Conklin, head of security and compliance for Vera, about these challenges. Tom explained that there are a number of issues organizations face when it comes to securing cloud servers and applications.
1. Finding the right skillset
Securing cloud services takes a different skillset than securing a traditional IT environment. Most organizations still have legacy systems and on-premise architecture to protect as well, but they must also be aware that new capabilities and processes are necessary to effectively secure servers, apps, and data in the cloud.
2. Perimeter? What perimeter?
Repeat after me. The perimeter is dead. Tom paraphrased hockey legend Wayne Gretzky, stating that most organizations are skating to where the puck is right now rather than where it’s going to be. In the case of the network perimeter, it would be more like skating to where the puck was a couple minutes ago. You can no longer rely on the perimeter. With mobile devices and cloud services it’s virtually impossible to say where the perimeter would be or what is “inside” or “outside” of the perimeter. Tom stressed that companies need strong identity and access management to ensure only authorized users gain access to services and data in the cloud.
3. Unique cloud security concerns
One of the hallmarks of the cloud is the use of virtualization, DevOps, and containers. Tom told me, “The idea of cloud servers and cloud services is to be able to quickly spin up new resources.” These technologies and practices lead to a significantly more dynamic and rapidly-evolving environment, with assets that are—by design in most cases—exposed to the public. Organizations need cloud-native tools to help identify configuration issues and unnecessary exposure in the cloud.
4. Vendor management and risk assessment
With cloud servers and services also comes greater interconnectivity and integration. There is risk from the cloud service provider, and risk introduced as your servers, apps, and data connect with third-party services and databases through APIs. Organizations need to get better at vendor management and risk assessment to determine how these relationships expose them to risk and what can be done to mitigate it.
The bottom line is simple: the security concepts and baseline best practices you’ve been using for your legacy assets and local network infrastructure won’t cut it for the cloud. As you move your servers, apps, and data to the cloud to take advantage of its agility and scalability, you also need to rethink your security posture to consider that agility and scalability as well.