This is the second instalment in a four-part series that highlights what you can avoid, and what to implement so that you can build solid foundations to expand, and work toward extracting the full benefits of the cloud. Last week, we focused on Architecture. This week it is all about Security.
Sub-optimal security in the cloud looks exactly like the security that organisations have been doing for the last 30 years for on-premises services. Security in the cloud is different. For instance, there is by default no perimeter security, so potentially a team working in a development could mistakenly expose other parts of their organisation to the outside world. Some traditional security practices rely on a one-time audit, during the design phase, and another audit just before going live. In the cloud, not only is there potential risk throughout the entire interim period, but once the service is live, that risk continues.
Another common issue that we see is organisations only applying traditional security controls, for instance, checklists and manual reviews. When organisations correctly adopt the cloud, those traditional frameworks need to be supplemented. Whilst some traditional gates are imperative, others risk that progress is inhibited.
If you rely on traditional security-control frameworks, typical audit questions you need to answer are:
- What do you have in the cloud, and what controls do you have to secure those workloads?
- What evidence do you have that those controls are working effectively?
Those questions can cause real headaches because they are difficult to answer. So, what does good look like?
Organisations that get it right implement an integrated and automated approach to security. They build security into their pipelines, their environments, and their configuration. Those organisations build their platforms in such a way that their developers cannot break things because controls exist to prevent them from doing so. They have genuine cloud ability, taking the sentiment of legacy controls and standards, and making them relevant for the cloud. They build security into the design right at the beginning; it is not an afterthought or something they tackle later. They believe that security is everyone’s responsibility and will build it into their engineering. By doing so, those organisations have an enhanced level of security, visibility, and control.
To ensure that you are getting it right, it is worth asking yourself the following:
- Do you have clear visibility of what your organisation has on the cloud, and visibility of its security and compliance?
- What controls do you have in place, and are these working?
- What skills does your security team need?
- Is your security team adopting a modern cloud-based approach, or are they still applying the same on-premises rules?
The answers to those questions will reveal the areas on which to focus to minimise your security risks in the cloud.
Our next installment focuses on finance, governance and controls, so that you can operate the cloud in a way that minimises your governance risks and control your costs, you can view this article via the button below.
Helping you get the most out of the Cloud. Chapter Three: Finance, Governance and Controls Read more