It seems like everyone is talking about moving to the cloud these days. The efficiencies, productivity, agility, elasticity, and cost savings all make a compelling case for migrating from traditional private networks and data centers to private clouds and other virtualized instances, and eventually into public and hybrid environments. Because of these advantages, government agencies and private enterprises across industries are all looking at ways to effectively embrace cloud-first strategies.
I attended a security conference just a few weeks ago, and many of the CISOs there said it makes sense to move to public and hybrid cloud solutions. And yet, many of them remain hesitant.
“Have you actually moved from private clouds to public clouds?,” I asked. The answer from many CISOs was the same: “No, we haven’t. Our CFOs tell us it’s the right thing to do, and everyone says they’re doing it, but I don’t know anyone who actually is.”
Of course, many companies are clearly moving to the public cloud, as evidenced by the growth of Amazon Web Services, Microsoft Azure, and other cloud providers. But these CISOs, to a person, all said their greatest concern around a cloud migration is maintaining control of their companies’ data and computing resources.
The irony, however, is that most CISOs and CSOs don’t actually have complete visibility into or control of what’s in their environments today. How many actually have an up-to-date asset management plan? Shadow IT, job/personnel changes, network expansion, and mergers and acquisitions all make it difficult for CISOs to keep up with their environments.
The truth is that while many of us are operating in the blind, we also have this massive need for control.
Still, the pressure for companies to embrace the cloud isn’t going away anytime soon. Let’s look at some factors CISOs and CSOs should consider before moving to the cloud:
Security interoperability: You need to determine whether the security products and frameworks that live on your legacy private networks will be interoperable with those supported by your cloud service providers.
Your ultimate cloud service provider needs to offer the same granular look, feel, and touch of your existing environment. And ideally, you will want to be able to manage its cloud security services alongside your existing security solutions via a single pane of glass: Those next-generation firewalls, sandboxes, SIEMs, and other security services should be as easy and consistent to use in the cloud as they are in your legacy environment.
Commingling of data: A big concern many enterprises have with public cloud services is the commingling of data with that of the cloud provider’s other customers. One of your first questions should be: “How do you ensure that my data is not commingled with others?”
How does the cloud provider ensure that only your team has access to your data? How does the provider ensure the integrity of your data while it is accessed, used, or stored in their cloud environment?
Data regulations: Think about the data you’re moving into the cloud. Is it appropriate to move it into the public cloud? Many countries have strict data sovereignty requirements that do not allow for some types of data to be moved off-premises or to be stored in cloud environments that span geographical or political regions.
Background checks: Ask the cloud provider about the number of employees who have access to your data. Have their professional credentials been verified? Do they go through financial and criminal background checks? Do they go through the same levels of scrutiny that a service provider would provide to a nation-state? How do they ensure that only authorized people can access your data and applications?
Penetration testing: Ask your cloud service provider if they allow penetration testing via API’s. You need to be able to ensure the security of your virtualized container within the cloud service provider’s environment.
As you think about ways to protect your data in the cloud, here are a couple of key tools to look for:
- Think about using a cloud access security brokerage (CASB). A CASB is a security policy enforcement point placed between cloud users and cloud providers that is used to enforce enterprise security policies. A CASB will give you deep insight into the state of your data in the cloud, who’s accessing that data, and what data is leaving the cloud environment.
- The cloud service provider’s hypervisor – the function that isolates operating systems and applications from the computer hardware – is an important piece of their service. The ability of the hypervisor to scale and to automate your network functions helps you ensure you have the same look, feel, and granularity of administration as you move across your private network into a public cloud environment.
All of these questions are important because ultimately, cloud providers aren’t responsible for the security of your data. At the end of the day, the responsibility for the security of your data and applications in the cloud is yours. That’s very important to remember when you’re thinking about transferring risk and moving it to the cloud.
It’s also important to think about the cloud as not being a wholly separate environment. It’s still part of your ecosystem. Look for vendor technology partners who provide unified visibility and management across your traditional private network, data center environment, and private clouds, and potentially, across multiple cloud service providers. Such continuity provides you with a high level of resilience and redundancy, which after all, are the most important factors in protecting your data and applications.