Compliant and safe
The pandemic-related shift to telecommuting would hardly have been feasible without the cloud, which allows employees to access data and services anytime, anywhere. Nevertheless, many companies are still faced with the challenge of using and managing their cloud infrastructures in a security-conscious manner.
A study commissioned by Tenable and conducted by Forrester Consulting found that before the pandemic, 31 percent of corporate and security managers had moved mission-critical functions to the cloud and 48 percent had non-critical functions. The pandemic has accelerated this shift, and over the next two years, 20 percent of respondents will move mission-critical functions to the cloud.
According to Tenable, several key challenges underscore the need for a security-oriented strategy in the cloud: since cloud solutions are very dynamic from the outset, the typical security limits, which only last if the IT systems are fully operated on-site, are broken. Another aspect is the critical nature of cloud resources.
The cloud is becoming an integral part of supply chain technologies, the Internet of Things (IoT), artificial intelligence (AI) and infrastructure-as-Code (IaC) as the world is rapidly shifting towards “everything-as-a-service”. At the same time, there is a rapidly evolving threat landscape. The simple networking of devices, data streams and data offered by cloud technologies is accompanied by an increase in the attack surface. As a result, the security situation of a company can no longer be reactive. The lack of visibility of cloud technologies is countered by the need to comply with data protection. This requires a rethinking from a perimeter-based security approach to a data-driven approach that simultaneously ensures a proactive, holistic, consistent and dynamic security program. It can also be difficult to switch cloud providers, as this can lead to performance, compatibility and security complications.
In general, a successful cloud migration includes a variety of dimensions, including the consideration of guidelines, compliance requirements and overarching risks for processes and procedures. Each of these elements must be taken into account in order to effectively manage data, processes and resources and at the same time enable the company to operate in a cost-conscious manner.
There are three key areas to consider in order to mitigate the blind spots in the field of cybersecurity caused by migration to the cloud.
1. Carrying out a risk assessment
When moving to the cloud, companies adopt a shared responsibility model. Both the cloud provider and the cloud user are responsible for the security obligations to the extent specified by the deployment model (i.e. IaaS, PaaS or SaaS). A cloud risk assessment helps to assess and avoid unrecognized or new risks arising from the migration of systems and data. The goal is to identify all potential risk areas and weigh them against business requirements in order to find an acceptable level of risk tolerance for each area.
The risk analysis includes the assessment of the risk of cloud providers and potential vendor dependency, risks arising from the loss of governance, and compliance requirements. These areas are critical in the cloud environment, and each has its own sublist of associated risks, such as technical risks, costs, resource allocation, operational processes and procedures, security, and legal restrictions.
2. Cloud Security Governance
Cloud security governance involves building models for effective security operations in the cloud that help managers better understand the security risks and gradually reduce them in order to achieve strategic alignment and value creation while promoting a security-conscious culture. This includes the strategic alignment between business objectives and prescribed security investments. Progressive risk reduction, equally important, can be achieved through implemented and monitored security initiatives with a view to sustainable performance. In addition, there is appropriate role management and the allocation of resources for security initiatives.
The path to appropriate cloud security governance depends on a company’s relative maturity level. At the very least, it should consider security investments as part of overarching business goals and strategic direction, as well as establish measurable security initiatives for risk mitigation, value creation and performance. It is also important to ensure adequate staffing and know-how for the implementation of security initiatives and measures.
3. Carrying out a data protection impact assessment
The implementation of a Data Protection Impact Assessment (DPIA) can help to mitigate risks by identifying and addressing high-risk scenarios before data processing takes place. Although the DPIA is required by law under certain conditions, it is also worthwhile regardless of the legal provisions. It can help to maximize compliance with security and data protection best practices and thus minimize potential liability risks.
The best practices in dealing with data include the removal of personally identifiable factors from the data, as far as possible. A strategy to identify and address critical vulnerabilities is also needed to reduce the risk of data breaches. It is also advisable to work with cloud providers to clarify what support they offer in the event of incidents, so that the company is well prepared for possible cybersecurity events.
In addition to the above, logging and monitoring are important components of effective cloud security. This practice becomes even more important in the event of an incident. Cloud providers should be judged on the terms they offer for accessing and managing log logs. In addition, the security teams need a continuous monitoring strategy to proactively assess the environment and be able to react quickly in case of abnormal behavior.
Regular vulnerability assessments and automatic remediation measures
The focus areas discussed above barely scratch the surface of the countless security implications of cloud migration and deployment. While organizations have found that a “lift-and-shift” strategy is an effective way to migrate applications, services, and data to the cloud, this is not an approach that works for cloud security. Instead, according to Tenable’s experience, companies need an overarching and proactive strategy for securing cloud applications and services that starts long before the start of the migration.
Effective cloud security requires a holistic approach that includes due diligence of all third-party providers, dis identification of data and the creation of reasonable SLAs. All managers, not only security experts, but also IT and company managers must proactively consider cybersecurity as a fundamental prerequisite for the continued existence of their company. The key to a successful security strategy for the cloud is, in particular, regular vulnerability assessments and automatic remediation measures.