As many organizations shift elements of their IT infrastructures to the public cloud, they must be aware of the new risks this move carries. Often, organizations make the false assumption that, in outsourcing the ownership of hardware and data center operations, they have also outsourced security to the cloud service provider.
While this is partially true because the organization is no longer required to deal with physical and infrastructure security, stakeholders are still responsible for compliance, data security, application security and possibly platform security if they are managing their own virtual machines or containers. A CSP’s documentation of the shared responsibility model will explain in more detail where it delineates responsibility.
A great thing about cloud adoption is that organizations can liberate themselves from capital expenditures and the challenges of securing on-premises infrastructure. As you replace ownership of metal with the consumption of infrastructure and software resources from a cloud provider, you can adopt a mindset of continuous integration and continuous delivery to delight customers with new services at an accelerated pace. However, with CI/CD comes the requirement to consider risk management as a more dynamic issue. Fortunately, an organization’s IT leaders can ask many of the same questions to manage risk in a cloud-based environment as they did when running on-premises hardware, adding a cloud-focused spin:
- What is an acceptable level of risk for the organization?
- What are the biggest risks to the organization’s cloud environment?
- Have IT and security leaders provided up-to-date plans to guide the teams in charge of developing procedures to manage the risks identified?
While IT leaders may be relieved to find that their overarching risk management policies haven’t changed much, they must understand that the organization doesn’t have the same well-defined perimeter that it used to. This means that the organization’s attack surface has broadened for external threat actors and become murkier to internal teams. The organization’s data now resides in the public cloud, posing new risks. A breach could even be due to a CSP’s mistake — but to customers and in the court of public opinion, it’s still ultimately the organization’s responsibility. IT leaders should work with the teams who manage the cloud environment to answer the following questions:
- Where does the organization’s data reside?
- What type of data is it?
- How sensitive is the data?
- How critical is this data to the organization?
Cloud Security Measures
After you’ve revamped your risk management policies and identified where your data resides, assess what controls you have in place to effectively manage the risks you identified. Start by looking at resources such as the Cloud Security Alliance’s Cloud Controls Matrix and the Center for Internet Security’s CIS Controls Cloud Companion Guide to help you prioritize which controls to implement first.
Most important, figure out how to automate and continuously monitor as much as possible, applying the CI/CD mindset so that your cloud security controls evolve along with your changing cloud environment. While tools and services native to the CSP are key, evaluate how third-party cloud security posture management tools may augment them. CSPM features are expanding at an extraordinary rate and provide visibility into how effectively you’re maintaining compliance in your cloud environment by continuously checking for misconfigurations, the most prevalent vulnerabilities that threat actors seek out and attack. Many CSPM tools also enable the automated remediation of misconfigurations, ensuring that the environment maintains compliance with whatever best practices or security frameworks you choose.
In the ever-changing landscapes of public cloud environments, risk management and auditing must adapt at the same tempo. Your risk management lifecycle should monitor and report critical and high risks in real time, which is asking a lot of your staffers, especially if they are cobbling together controls from native and open-source tools.
This is why I invite you to contact my team at CDW, the Cloud Security Posture Assessment team. We will show you how easily a CSPM solution can give you instant visibility. We’ll review critical findings in your cloud environment and focus on configuration without seeing your data. This is a complimentary service that allows you to test drive CSPM dashboards and find out more about trends we’re seeing in cloud security. I look forward to working with you.