How to craft a cloud security strategy
When it comes to cloud, it's no longer a case of 'should we?', but 'how do we?'.
Businesses across the board are trying to move away from legacy environments that constrain innovation and agility to a cloud environment that creates new IT abilities quickly and effectively.
So says Jared Naude, software engineer, Cloud Security at Synthesis Software Technologies, who spoke about 'Securing workloads in the cloud' at the ITWeb Cloud Summit, held this week at The Forum in Bryanston.
Many organisations only see the end goal of being in the cloud and utilising DevOps techniques, but they don't think of the investments and journey they need to take their organisation through, he says.
"This results in problems. Organisations should start with a good strategy, then rally the rest of the organisation to get their mindset in place. Once that has been done, they can then operationalise and support the environment that has been built. And it doesn't end there - the business also needs to think about the next service it wants to create."
The beauty of cloud, he says, is that it provides a platform for organisations to experiment with new processes and technologies, and, if they don't work, kill them and stop paying immediately.
There are challenges with multi-cloud strategies, he explains. "Many organisations struggle to fully operationalise a single cloud platform due to the lack of skills inside the business."
This is compounded when trying to operationalise multiple platforms - the complexity increases dramatically as specialised knowledge for each platform is needed.
Before embarking on a cloud journey, Naude advises businesses to make sure the mindset and organisational culture is correct, use cloud-native services and tools and employ best practice frameworks from a from your cloud provider.
"Make sure everything is encrypted. Avoid single points of failure. Ensure scalability and choose the right database solution. Finally, automate as much as possible."
In addition, he says businesses are not taking into account the new risks that cloud poses, and they are not adopting an appropriate threat model.
Trying to secure multiple cloud platforms has its challenges from a strategy perspective. "Do you use common tools for all platforms or do you use native services and complement as required? Do you have a set of standards for all environments regardless of platform?"
Businesses need to define security capabilities, he says. "The most common are endpoint protection, and endpoint detection and response; SIEM (security information and event Management); GRC (governance, risk and compliance); privileged access management (PAM); data loss preventation (DLP) and cloud access security brokers."
Naude says when implementing tooling for hybrid architectures, the operational impact of
such decisions - regarding which tools should span both environments - needs to be carefully considered. Some try to put too many, but due to lack of skills can't manage them all. If the tooks are not cloud-ready, you will run into a number of problems, he warns.
"Expanding on-premises tools into the cloud is not always a good idea due to the limitation of how some products work. Not all tools translate well to a cloud environment. "
In addition, application and security teams want to have a single pane of glass to correlate events during an incident, but what is the best way to achieve this?
According to Naude, it's important to get the basics right first: logging and monitoring; identity and access management; data protection at rest; unified access mmanagementt. And of course, have a back-up and recovery plan in place, and make sure servers are patched and running up-to-date software.