The StrategyNow let's switch tracks and talk a little bit about strategy. Understanding what cloud services have been adopted by your organization, authorized or not is the first step. Then understanding what data is being transferred, processed and/or stored into the various cloud services is second. Once you have identified the cloud services and the data types that are being put in the cloud, you then need to put on your risk management hat and start tracking what if any security controls are in place to protect the data and who owns the responsibility of configuring and managing said security control(s). Next, and maybe this should have been the first part of the strategy, is the need to increase awareness to the business and the stakeholders. From a business risk perspective, “times are a-changing.” Privacy laws are now in force to compel companies to adequately protect the data they collect. Failing to do the right thing and suffering a data breach can now result in irreparable reputational damage (mandatory breach disclosure) and financial penalties (fines). Businesses should now acknowledge handling personal identifiable information (PII) as a high-risk activity whether in your own data center or in a cloud. Cloud adoption has some major benefits, and any astute businessperson can realize the cost savings and increased agility that cloud can afford us. However, more often than not, the business and risk owners are wowed by the whiz-bang of the cloud and blinded to the additional and nuanced risks. Traditionally, we have had a decent ability to control how accessible the data is and who has access when in our own data center. We call this the walled garden approach. By no means is it perfectly secure; it's something we have become decent at securing. However, the walls come down when it comes to the cloud, which means your data is slightly more exposed to threats than it was before. That is not to say your data cannot be secured as good if not potentially better than in your own data center. However, it is a "choose your own adventure" scenario. A misconfiguration of your cloud service on your end or choosing a cloud service provider that sucks at security (many of them) are by far the most common means for getting in the news for a security incident and experiencing punitive fines. Understanding that risk is crucial when making cloud adoption decisions.
ConclusionYou need to understand and manage risk accordingly but enable, not inhibit the business. Shadow Cloud adoption, especially software as a service (SaaS), is likely in your IT environment, and you need to strike a balance of reducing risk while not stopping the business. As an example, there is likely one or more teams in your organizations who have adopted an insecure SaaS service. You do want them to stop using it, but you will need to bring a better solution or compensating control to them first before we can start saying “No, I'm taking your tools away.” Next, look for the opportunity to review and refactor early adoptions of infrastructure as a service (IaaS). The first generation of Cloud adoption was lifting and shifting servers from the data center into the cloud. We joke that if you suck at security in the data center, you can totally suck at security in the Cloud. Lifting and shifting “bad” from your data center into the cloud is likely going to come back and haunt you in the future. You should consider the cloud as a green field where you can pragmatically migrate applications into a pristine and highly secure environment one at a time. But rather than lifting and shifting old and insecure configurations, you refactor your applications to leveraging next-generation cloud-native services which can save you money and have best practice security functionality baked in.