What Cloud Migration Means for Your Security Posture

It shouldn’t come as a surprise to anyone reading this article that there has been a major shift towards businesses hosting their critical applications in the cloud. Software-as-a-Service (SaaS), as well as cloud-based servers from Amazon or Microsoft, have changed the way we build networked business systems for any size organization. Cloud-hosted solutions can (but not always) simplify local management, save money, provide flexibility, and generally simplify the planning for a system life cycle. However, decision-makers tend to focus solely on the benefits the cloud provides and may lose sight of the fact that a shift to the cloud not only changes the infrastructure but also the way technology is managed – specifically as it pertains to security and risk. Below are a few security and risk considerations to keep in mind when moving to the cloud.

Disaster Recovery and Redundancy

For most organizations, the economy of scale for disaster recovery and redundancy solutions in a hosted/cloud-based server infrastructure exceeds anything that you could reasonably build and host yourself. Amazon, for example, is one of the largest companies in the world, with a network infrastructure that you could accurately describe as intercontinental. While Amazon is a big target for network disruption, the level of redundancy they have (and that you can utilize if their hosting solutions fit your organization) makes uptime extremely high. Plus, they are required to test and audit these systems to assure uptime and security to a reasonable extent. But for the organization they are hosting, there are still other considerations to be made as it pertains to disaster recovery and redundancy. The very definition of disaster changes. Instead of worrying about a server failure in your local network closet, a disaster might now mean a telephone pole getting knocked out, severing the ability for the office to talk with the cloud servers. For many applications that were once hosted locally, a disruption to Internet connectivity might have resulted in a yawn, but when companies depend on the cloud, a lost Internet connection means that business comes to a halt. Therefore, it’s important to invest in a redundant Internet connection or “MiFi”-style cellular connections as a backup. That’s just one example, but it’s important to re-examine what defines a disaster now that you’re in the cloud and what kind of redundancy you now need. As always, first define the incident or disaster and then consider the business challenges it would bring to help clarify the right kinds of solutions needed.

Device Security

Although in most circumstances sensitive data that is hosted in a cloud environment exists on the cloud side of the infrastructure, you still need to take into consideration the device itself. Even in many hosted environments, sensitive data often resides on those devices, at least temporarily – so often times, there is still a breach risk. But perhaps more importantly, the user behind the keyboard, as well as the accounts accessed by that user, could be compromised, leading to significant consequences. Fortunately, a comprehensive device security plan is still manageable. In addition to proper user rights and authentication rules, organizations moving to the cloud should consider solutions like multi-factor authentication, disk encryption, or a personal VPN. Traditional security tools like proper patch management, Antivirus software and common sense rules like not connecting to unsecure WiFi connections can improve security in a mobile, cloud-based environment. Finally, it’s important to perform regular vulnerability testing on the devices used to access sensitive data in the cloud to ensure that the security approach is correct as the landscape continues to change.

Network Monitoring and Endpoint Detection

Depending on the nature of the consequences from a security incident or specific compliance rules due to the type of data you are working with, you may need to go a bit further in your approach to security and risk. One approach may be to collect logs and look for suspicious incidents on a network level. With this approach, we try to detect early signs of an attack or data breach so that actions can be taken to thwart the incident with minimal consequences. As you might imagine, this can be extremely effective (although it might not be for everyone). Another approach focuses on monitoring the endpoint devices (i.e. PCs, switches and routers) for the processes running on the devices themselves. This provides another way to quickly identify and respond to a cyber-threat. Needless to say, these kinds of solutions are sophisticated and require investment, so it is best to discuss the right approach with an expert. Most major mistakes with cyber security are made on the planning and acquisition side rather than with the technology itself. You want to make sure that the investments you make in cyber security are put into the right risk management tools so you can get the best possible outcomes. Proper assessments on a regular basis can help determine what your risk factors actually are, so I always recommend starting there before implementing new technology, whether it is security, cloud or otherwise.  From there, you should have a clearer picture and a plan of attack so that these security management decisions are effective in meeting your organization's goals.  

Image

About the Author: Ben Schmerler is a Senior IT Risk Advisor at DP Solutions, an award-winning managed service provider (MSP) headquartered in Columbia, MD. Ben works with his clients to develop consistent strategies not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.