Tech Journal Secure Your Migration to the Cloud
By Gary Miglicco / 15 Jun 2019 / Topics: Cloud
By Gary Miglicco / 15 Jun 2019 / Topics: Cloud
It is indeed possible to achieve a robust security posture in the cloud. But there’s no denying that in many ways, doing so is a lot different than it is on-premises.
Thinking carefully about the following five areas can assist any organization achieve the cloud security it requires:
At the earliest stages of developing your cloud migration strategy, think broadly when determining who has a stake in cloud security. In addition to IT, include departments such as legal, procurement, human resources, your program management office, compliance, product development and partners. Having experienced partners and a skilled support staff will be critical to any successful migration strategy. We’d recommend you get them involved as early as possible.
When you migrate to the cloud, security moves to a shared responsibility between you and the cloud provider. All the major providers have documentation that spells out how that responsibility is divided. Read that documentation extremely carefully and determine the impact of each model to your migration strategy and impacted teams will operate within each.
Having a clearly defined and enforceable data lifecycle strategy, which ensures data is protected in transit and at rest, is one of the most important aspects of any cloud migration. You need to understand what sensitive data you are migrating and leverage the tools and processes to keep it protected, including cloud access security brokers (CASB).
A cloud access security broker, according to Gartner, “is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed.” CASBs are powerful tools because they give you a centralized view of all your cloud resources.
Many IT teams that deploy a CASB for the first time realize that there are many cloud resources in use that they were previously unaware of, some of which may be placing sensitive data at risk. By using CASBs and other tools, you can regain visibility into where data resides and apply the proper safeguards to keep it protected.
Always use multi-factor authentication (MFA) for privileged user access. Without MFA, you’re one stolen password away from a breach. It’s common for malicious parties to imbed malware in email attachments and waterhole attacks. Consider single sign-on (SSO) solutions that have multi-factor authentication built in.
For example, an employee with access to sensitive cloud resources may click on a malicious email attachment, not knowing a concealed keystroke logger is also included as part of the download. After the malware is installed, the keystroke logger would then be used to steal their password. Without a second form of authentication, the malicious actor would have everything they need to access the cloud environment.
By adding that second form of authentication for login attempts that are unusual — for example, from a different location or at a different time than is normal for a specific user — you can make it much harder for a malicious hacker to execute a successful breach.
Tools rationalization is often overlooked during cloud migrations. Don’t assume that tools that work well in on-premises environments will be as effective in the cloud or vice versa.
Taking the time to understand the many cloud-native security offerings provided by the cloud provider’s services and how they will play into your security tools strategy could pay big dividends. For example, the major cloud providers have sophisticated logging and monitoring capabilities built into their platforms. These can help you understand exactly who has done what in your cloud environment — a critical component of security incident response and resolution.
While it’s smart to augment cloud-native security tools with third-party offerings for complete protection, don’t overlook tools you can get directly from the cloud provider.