Whether you are a CISO actively pursuing a cloud security transformation or a CISO supporting a wider digital transformation, you are responsible for securing information for your company, your partners, and your customers.
Enabling a successful digital transformation and migration to the cloud by executing a parallel security transformation ensures that not only can you manage risks in the new environment, but also you can also fully leverage the opportunities cloud security offers to modernize your approach and net-reduce your security risk.
To secure your organisation from cloud transformation risks, CISO’s should channel their efforts in the following 6 major areas:
Build and sustain a security culture that transcends all deployment and technology models
Cloud adoption offers the CISO both opportunities and risks. A significant business driver for cloud adoption is to accelerate development and time to market timelines, with reduced time to release and between releases. Cloud also offers the opportunity to organisations to partially outsource some roles – for example hardware, network architects etc. Cloud adoption offers organisations the option to dispense with legacy perimeter based security models and embrace new security paradigms such as Zero Trust. Speed, simplicity should not compromise security. Regardless of model, driver or paradigm you need an appropriate security culture. The following principles are universally applicable, in the cloud, on premise or hybrid:
- Secure by design, secure by default
- Follow a risk based approach
- Security is your responsibility not someone else
- Everyone needs to be security and risk aware
- It’s not if but when you will have a security incident
- You need a structured and sustainable approach to security
- You need a continuous improvement mind-set
- Don’t reinvent the wheel – use existing frameworks, standards, controls such as ISO27001, NIST, Cloud Security Alliance (CSA) and Common Controls Framework (CCF)
Research and verify your cloud providers capabilities and collaborate
Understanding a cloud security vendors in-cloud security capabilities is important in both cloud vendor selection but also in term of your strategy to secure your services in that particular tenancy. Its safer to assume your cloud provider does not provide the security controls you require, until your due diligence activities prove differently. You need to consider the basic security functionality of the vendor e.g. access controls, authentication, encryption, etc. You should consider the vendors security philosophy e.g. whether secure by design, secure default etc. You also need to review features such as data retention and backup plans, disaster recovery capabilities, data residency options and features. You should assess the vendors commitment to security in terms of their current and historic investment, their security innovation, the maturity and rating of their own in cloud security features and their partnerships and alliances. Just because a vendor has a cloud native security technology baked into their cloud offering, does not mean that that particular security technology is good or effective. So look to truly independent ratings and assessment of security technologies to select the most appropriate technology and vendor for your cloud security needs. Be careful of “security awards” type ratings. The commercial operations of some of these award type of ratings can compromise the independence and objectivity of their assessment or review content.
Understanding the responsibilities, your cloud providers have, and the responsibilities you retain, are important. Equally, so are the methods you will use to assure the responsibilities that both parties have, including working with your cloud service provider to consume solutions, updates and best practices so that you and your provider have a “shared fate”.
Review careful the cloud vendors policies, service levels agreements and contracts with respect to security. Consider security from whole of cloud life scenarios – e.g. selection, proof of concept, on-boarding, BAU operation, change management, crisis management and exit.
Major cloud vendors typically no longer allow discrete due diligence on the part of customers such as security audit and penetration testing of their services. Organisation typically need to rely on accreditations, 3rd party security audit and testing reports commissioned by the vendor. CISO need to satisfy themselves that these are adequate in scope, frequency and completeness to their needs, including not just certification compliance audits and penetration tests but other disaster recovery tests, customer service audits, incident response reporting etc.
Focus on security management and inter-operability
Most organisations will have multi and hybrid cloud solutions. You need to be able to operationally and economically manage your cloud estate from a security perspective. Best of breed, cloud native, vendor specific highly innovate security solutions rapidly lose their value and security effectiveness to a CISO if they cannot be easily managed and interoperate with other security technologies and security management solutions. Organisations are striving where feasible for “single pane of glass” visibility, single or small number of policy management, security administration, security operations, reporting monitoring and response solutions. Given factors such as increased risks, threat actors, incident costs and sophistication of attacks cyber security skills shortages etc. organisations are also looking for increased security automation and response. Disruptive solutions that don’t neatly fit these requirement need to be critically assessed to see whether the disruptive/innovative nature of that security solution adds sufficient value to the likely extra security management overheads that the CISO and their staff may incur in utilising them.
Transferring security risks
As services are moved into infrastructure as a service (IaaS) hosting models, the business assumes less direct risk regarding hardware provisioning. The risk isn’t removed, instead it’s transferred to the cloud vendor. Should a cloud vendor’s approach to hardware provisioning provide the same level of risk mitigation, in a secure repeatable process, the risk of hardware provisioning execution is removed from corporate IT’s area of responsibility and transferred to the cloud provider. This reduces the overall security risk that corporate IT is responsible for managing, although the risk itself should still be tracked and reviewed periodically.
As solutions move further up the stack to incorporate platform as a service (PaaS) or software as a service (SaaS) models, additional risks can be avoided or transferred. When risk is safely moved to a cloud provider, the cost of executing, monitoring, and enforcing security policies or other compliance policies can be safely reduced as well. CISOs need to assure themselves of the competence, capability and risk management of the vendors as well as the details of the contracts, service levels and insurances in order to ensure that these risks are actually transferred and managed.
Focus on knowledge, skills and quality assurance to minimise Cloud Security misconfiguration risks
Rapid new cloud, multi-cloud, shadow IT adoption coupled with rolling cloud development and releases increase the likelihood of cloud misconfigurations that can compromise your security. According to the Fortinet 2021 Cloud Security Report, 67% of surveyed cybersecurity professionals stated that misconfigurations remain the most significant cloud security risk facing their companies. This is because when a user or team specifies settings that fail to provide adequate cloud data security, attackers can exploit those misconfigurations to compromise or steal data. Misconfigured cloud-based resources create risks for critical environments that can result in unexpected costs and disrupted services.
Ease of purchase and apparent ease and speed of deployment and configuration often means that your own or 3rd party administrative or development resources are not adequately trained or experienced on designing, deploying or operating appropriately hardened services.
Threat actors increasingly target misconfigurations as part of their attacks because they can move laterally within an organization’s infrastructure. This should be top of mind for CISOs as they look to secure their organization’s cloud environments.
To address this CISOs should focus on ensuring that:
- You use an appropriate secure systems development lifecycle (SSDLC) to risks assess and specify security requirements, to ensure secure design, secure by default deployments and change and to ensure quality control/testing tests for security as well as functionality and performance.
- Your own and any 3rd party resources involved in design, deployment, development, administration and support of cloud services have appropriate security, secure administration, secure development and secure support skills and experience in each of the relevant cloud vendors that they service. Most vendors have a range of accredited training for architecture, design, administration, development, operations, support and security of their cloud services. Ensure resource have appropriate accreditation, but also look at their experience and their performance to service levels including security service levels.
- You perform regular audit and testing pre deployment and during operation to identify and remediate security weaknesses, misconfigurations
- You deploy appropriate include security technologies and controls as well as 3rd party solutions commensurate with appropriate remediation of identified risk
- You perform regular security operations such as security monitoring, vulnerability management, security auditing, backup and disaster recovery testing etc.
Evolving your security architecture and how security roles are performed
In addition to working with new collaborators in your cloud service providers, your security organisation will also change how it works from within. While every organization is different, it is important to consider all parts of the security organisation, from policies and risk management, to security architecture, engineering, operations and assurance, as most roles and responsibilities will need to evolve to some extent. There most likely will be a need for rapid new security skills acquisition. Your security models and frameworks may also need to change e.g. SecDevOps to reflect the shortened release cycles and deployment models. Similarly you may have new security paradigms such as Zero Trust, cloud native SIEM/XDR and integrated SOAR, adaptive authentication etc that you may wish to exploit in your cloud services.
Some of these paradigms may be adaptable across your multi vendor and hybrid environments and thus may result in a paradigm shift across your whole digital estate. Some may not and thus you may need to operate different paradigms in different environments and manage user and customer experiences as well as administrative, operational and support models accordingly.
Your transformation to cloud security is an opportunity to rethink your security-operating model. How should security teams work with development teams? Should security functions and operations be centralized or federated? As CISO, you should answer these questions and design your security-operating model before you begin moving to the cloud. Our whitepaper helps you choose a cloud-appropriate security-operating model by describing the pros and cons of three approaches.
Each organization’s cloud strategy is tailored to its own needs, meaning that no one-size-fits-all approach to security exists. Most companies use more than one cloud service provider to mitigate the potential for a single-point-of-failure.
For example, organisations may use different cloud providers for:
- Data backup
- Application resiliency
- Disaster recovery
- Global coverage
Supporting this, the Fortinet cloud security survey found that:
73% of organizations are pursuing a multi- or hybrid cloud strategy
33% of organizations are running more than half of their workloads in the cloud
56% of organizations will be running more than half their workloads in the cloud over the next 12-18 months
The cloud provides the scalability, integration, and business continuity capabilities that companies need. While many will continue to maintain an on-premises presence, hybrid accounts for more than one-third of deployments.
Organisations operate in a diverse and expanded digital landscape. Because of this, CISOs and security teams often struggle to manage and secure the various private and public cloud workloads and environments. Despite the benefits of multi-cloud adoption, the current strategies and multiple tools add extra layers of management complexity. And they only become more complex when organizations add cloud services in an ad hoc manner, creating management and operational challenges that also increase operational costs.
On top of this, few IT teams have the expertise needed to manage a hybrid deployment that includes multiple public clouds, private cloud, and on-premises environments, leaving CISOs struggling to get ahead of any potential issues.
Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.