Controls In The Cloud - Moving Over Isn't As Easy As Flipping A Switch
Lift and shift.
While this phrase is not new, it’s now said with regularity in relation to moving infrastructure to the cloud. Providers promise seamless transitions as if you were moving a server from one rack to another right next door. While moving to the cloud can put companies in a more secure position, proper care needs to be taken. Assuming everything is the same can be a fatal mistake, one that is happening on a regular basis.
From a physical security perspective, moving infrastructure to the cloud will almost always be more secure. Large cloud providers place infrastructure in state-of-the-art data centers with top-of-the-line physical security measures. Organizations do not often have the budget, time, or expertise to build their own on-premise data centers to these specifications. I have seen the full spectrum of data centers over the years (umbrellas over server racks as a control to protect from a leaky roof, anyone?). Even the most advanced data centers we see on premise do not match those of the large cloud providers.
What hasn’t changed:
Requirements and basic control concepts have not changed as the proliferation of cloud infrastructure unfolds. User access, change management, and firewalls are all still there. Control frameworks such as COBIT, ISO 27001, NIST CSF, and the CIS controls still apply and have great value. Sarbanes-Oxley controls are still a driver of security practices for public companies.
What has changed:
How the controls of the past are performed has changed upon moving to the cloud. Here are some common examples:
Security administration is more in-depth – Some of the most high-risk access roles in organizations, admin rights are a main target of malicious actors. Handling admin rights in the cloud is different and needs proper due care. Knowing which roles are administrative in nature can be confusing, so it’s important to implement correctly from the start. Separation of duties in relation to key administration and key usage is essential. Having the proper tools to administer access can be daunting. Don’t assume your cloud provider will guide you through all these intricacies; plan ahead.
Perimeter security has changed – While layered security has always been important, it becomes even more important in the cloud. Recently, several news stories have appeared where breaches occur due to things like “containers being exposed to the internet” with a large cloud provider’s name associated. At first blush, I have heard most people blame the cloud provider, but most often these breaches are the cloud customer’s fault. Some important items to think about are proper DMZs for critical and/or regulated data, firewall configurations, and proper restriction of admin rights to those resources.
Securing connectivity becomes more important – Servers and other hardware won’t be sitting down the hall when moving infrastructure to the cloud. Access will almost always be remote, thus creating new security challenges. Understanding all ingress and egress points is essential, as is putting proper controls around them.
Encryption – Encrypting data will be a top concern for many organizations, as the data is now “somewhere else.” The good news is the native encryption tools of many large cloud providers are advanced, and most times data at rest can be automatically encrypted using a strong algorithm. This is a huge step up right off the bat for many companies. Because encryption is so important in the cloud, key management becomes a high-risk control. Policies, procedures, and controls around key management need to be well-thought-out.
Fear not, it’s not all bad!
While some challenges may be present as outlined above, moving to the cloud is most often a great move for an organization. Improved security, improved performance, and cost savings are only a few benefits of a cloud migration. Multiple frameworks exist to provide a secure path to cloud adoption, so organizations are not approaching this “blind.” A cloud security framework can guide you through the process of secure adoption and also provide assurance over cloud adoptions you have already performed.
We are helping clients in all industries with these cloud migrations/adoptions and have some great perspective on dos, don’ts, and best practices. Reach out to us at any time; we are here to help with your challenges – Shane O’Donnell, Chief Audit Executive, email@example.com