Accelerating to the Cloud, Responsibly

Josh Hamit
Author: Josh Hamit, Senior Vice President, CIO, at Altra Federal Credit Union and Member of ISACA Emerging Trends Working Group
Date Published: 13 January 2021

Coming out of 2020, most organizations are probably pivoting from digital transformation to digital acceleration. In only a matter of weeks, the world witnessed unprecedented adoption of digital technology that will shape consumer behaviors and business operations for years to come. Hopefully your organization is already well on its way to adopting cloud as a part of its digital acceleration strategy, but regardless of where your organization is at in the journey, security professionals are charged with helping their organizations adopt cloud securely. Done right, security can not only be a business enabler, but can also leverage cloud to enhance the organization’s security posture. Let’s explore a few important considerations before you make the leap, along with some cloud capabilities that can help a security professional sleep better at night.

Contracts & Due Diligence: Your organization probably has more of a footprint in the cloud than it realizes. How many of your existing vendors already host their applications in AWS or Microsoft Azure? Probably quite a few, and perhaps there’s been cloud-creep occurring over the years without broad awareness within the organization. Still, if you’re about to make the leap by going all-in from an on-premise datacenter to Azure, or migrating some applications into Microsoft 365, you’ll want to perform your due diligence. Don’t assume you’re secure by default simply by virtue of hosting your stuff in AWS or Microsoft. Spend the time up-front doing a proper risk assessment and make certain you can delineate your responsibilities versus those of the cloud provider. Some organizations still view compliance as a barrier to entry into the cloud, which may lead to a cultural aversion. However, in reality, most cloud providers can actually help you achieve compliance by checking quite a few boxes and shouldering some of the burden for you.

No matter what responsibilities you can offload to your cloud provider, your organization will ultimately maintain accountability for its data. Make sure you know what data is being stored, where it’s hosted, and how it’s secured. Whatever your security requirements, make sure they are included or negotiated into applicable MSAs and SLAs. If you expect to be notified of a breach within a certain timeframe, make sure it’s in writing. So, too, you will want to ensure clear provisions around monetary liabilities in the event of a breach or service outage. Even when large providers may be at first unwilling to budge on their terms, don’t be afraid to push back and fight for provisions that are especially important to your organization. Take advantage of your leverage before the contract is signed, and don’t expect many concessions thereafter.

Assistance & Training: There’s no shame in seeking an experienced partner that knows cloud security inside-and-out that can help you avoid a serious mistake along the way. Most IT departments are extremely talented and capable, but don’t underestimate the differences between a traditional network administration mindset and cloud administration. Misconfiguration in the cloud remains a top threat and top avenue of compromise. A collaborative partner can provide hands-on, learn-as-you-go training to ensure your team understands the how, what, and why behind every decision. Progressively, your staff will feel confident taking the reins during a future handoff. As you evaluate potential partners, don’t overlook the benefits of finding a partner that understands and has experience with your particular industry. It’s always easier to deal with someone who gets you, as opposed to the partner that takes a one-size-fits-all approach.

Lastly, consider investing in formal cloud training for your staff that might be either vendor specific or vendor agnostic. For example, some training may be very specific to administering a particular cloud application or platform, whereas other programs teach cloud security principles that generally apply to all environments. Relative to what you’re probably going to spend migrating into the cloud, training is a fairly modest expense. The more equipped your staff are, the better job they will do to administer and secure your environment, so make sure they receive the tools and training to be successful.

Orchestration & Automation: Don’t overlook your strategy to orchestrate your security tools in order to limit silos of information. For example, you might be using a SIEM solution on-premise and want to feed events/logs from your cloud provider into that central pane of glass. Does the cloud provider support log aggregation, or are there some limitations or barriers that will potentially decrease your visibility or ability to correlate activities? The security team has enough to worry about without inadvertently creating more work. Similarly, you may have a desire to extend other existing security tools into the cloud. You’ll want to consider whether they are compatible and factor in any additional costs you may incur to extend those solutions.

Wherever possible, try to automate the collection, inspection, identification and response to events that really matter. You might hit some bumps in the road initially, perhaps blocking something or somebody legitimate, but don’t let that derail you from trying to leverage automation. Every tool is just that … a tool, and it will take some experience and tuning to get it right. Typically, you can run most tools in a passive mode at the onset to allow time for learning and tuning before you flip the switch. This approach can alleviate the impacts of otherwise causing undo interruption to business processes.

Controls & Capabilities: Cloud providers are keenly aware of what’s at stake for them and the organizations that entrust their systems and data in the cloud. This is a good thing from the standpoint that cloud providers are investing huge sums to innovate next-gen security tools and incorporate more machine learning and AI to detect malicious activity. Things like MFA should be a given, and remember that it’s about layering security and not putting all your eggs in one basket. For example, cloud providers may provide mechanisms to elevate admin accounts on an as-needed basis rather than an always-enabled approach. Or, the cloud provider may offer tools to auto-detect risky accounts based on behaviors that fall outside the norm. Some cloud providers are also making it increasingly easy to pinpoint gaps in your cloud security and remove the guesswork. For example, Microsoft Secure Score provides a useful dashboard for IT and security staff to quickly spot the most impactful changes they can make to improve their security posture, taking a prioritized approach.

Of course, no article would be complete without mention of Zero-Trust, the latest security buzzword for 2021. Kidding aside, the principles of Zero-Trust will be increasingly important as network perimeters expand into the cloud, along with more users working from home and more connected devices. The idea is that credentials alone are never a good indicator of someone’s true identity and access should be conditioned to meet a more robust set of criteria that conforms to an organization’s policies. This is an area where cloud providers can help an organization fast-track some Zero-Trust quick-wins, using tools like Microsoft’s Conditional Access.

In summary, cloud is a must for any organization that wants to compete in an era of digital acceleration. Whether you’re looking at a cloud strategy that’s all-in, or some hybrid approach, you stand to gain a significant amount of agility and introduce new game-changing digital capabilities to an organization. Of course, accelerating too quickly around a corner can lead to catastrophic consequences, so it’s important to occasionally pump the brakes to ensure that you’ve taken the time for the necessary due diligence and planning. If you accelerate to the cloud, responsibly, you can achieve a win-win through business enablement and increased security.

Editor’s note: Cloud auditing can provide a big picture understanding of the type of cloud services and deployment strategy that would best benefit your business. Find out more about the new Certificate of Cloud Auditing Knowledge (CCAK) from ISACA and Cloud Security Alliance.