As recently as 2017, security and compliance professionals at many of Tripwire’s large enterprise and government customers were talking about migration to the cloud as a possibility to be considered and cautiously explored in the coming years.
Within a year, the tone had changed. What used to be “we’re thinking about it” became “the CIO wants to see migration starting this year!” By 2018, many customers were fully immersed in an aggressive campaign to revamp their IT environments.
The business benefits of shifting to cloud-sourced infrastructure, platforms and software are well known. Often less understood, at least by many senior leaders making large-scale investment decisions, are the security and compliance nuances of such a shift. To effectively manage risks in new, usually-hybrid, environments, organizations will face both challenges and opportunities.
Cloud-hosted IT doesn’t necessarily mean less secure. There are many security enhancements offered by hosting services which may not otherwise be effectively implemented in a business whose core competencies don’t include IT.
Infrastructure-as-a-Service, for example, often comes with built-in patch management, secure configurations (or at least securely configurable settings), system redundancies, data backups and incident response—so security is not always compromised; it can actually be improved in some ways. But cloud-hosted IT does
mean security is different.
Much of the difference comes from the expanded scope of coverage needed. There are generally three areas that need to be considered:
- Security of cloud-hosted assets. Simply stated, this is an extension of what has always been needed on-prem: security controls on virtual servers, databases, workstations, etc., which process data and do the work. While the host may be different (physical to virtual, on-prem to hosted), the security metrics, measures and tools remain similar. (Read a white paper on this topic)
- Security of cloud accounts. This is the customer-centric cloud environment itself which now needs to be securely configured and protected. Loosely analogous to physical perimeter security of an on-prem data center, the security of these accounts must be maintained in order to prevent unauthorized access and modification of important settings. (Read a white paper on security AWS configurations)
- Security of for-the-cloud content. As the infrastructure and platform layers have shifted to hosted environments, the development of application content is undergoing its own revolution in DevOps. Rather than large software bundles that are occasionally patched and updated, the process if often now as continuous as possible. Security of this content—vulnerabilities, configurations, etc.—is vital. (Read an eBook on container security)
Security and compliance teams must now deploy, monitor and integrate security controls across these three areas and beyond.
Another key difference is that responsibilities are shared between service providers and customers. Given that it is the customer’s data and systems that need to be protected, the customer remains ultimately responsible (read: liable) for compromise. Often, the careful scoping of what the service provider accepts responsibility for is less than the customer may assume at the outset.
A clear understanding of what the security team needs to manage themselves is crucial to effective security of the cloud.
Most importantly, the need for foundational security controls does not change because the IT environment is architected differently and responsibilities are shared. Fundamental security principles, as it turns out, apply in the cloud as well as on-prem.
The CIS Controls
remain an effective way to prioritize security for any organization. Now the CIS Controls come with a CIS Controls Cloud Companion Guide
that provides guidance on how to implement security best practices in cloud-sourced environments. Taking into consideration the unique attributes of virtualized systems in hosted environments, the guide shows how each CIS Control and Sub-Control can and should be implemented.
The most important feature of the Cloud Companion Guide is perhaps it's most obvious: that the security controls themselves remain intact. While there are many new considerations for how
they are implemented and who
is responsible for each Sub-Control, the CIS Controls are just as relevant to this new environment as they were when first developed for dedicated, on-prem, self-managed data centers.
The organization must still know what is connected to/within its environment (CIS Control #1
, hardware asset inventory); what is running on those assets (CIS Control #2
, software inventory); where vulnerabilities are and how to address them (CIS Control #3
, vulnerability scanning); how to securely configure assets (CIS Control #5
, secure configuration management) and so forth.
For example, on secure configuration management (CIS Control #5), the guide states, “Even if a strong initial configuration is developed and deployed in the cloud, it must be continually managed to avoid configuration drift as software is updated or patched, new security vulnerabilities are reported, and configurations are ‘tweaked’ to allow the installation of new software or to support new operational requirements.” The customer must ensure that the service provider maintains this standard, or they must do it themselves.
It turns out that, despite rapid and dramatic changes in technology, the principles for how to secure IT assets and data remain very consistent. The challenge, then, is not to reinvent security strategy but to reinvent the methods and processes by which they are effectively implemented.
There are many benefits to cloud migration. A security-minded organization can maintain its secure posture by understanding the opportunities and challenges associated with new environments, taking responsibility for its part in the shared responsibility model and remaining—as always—consistent in implementing well-established best practices like the CIS Controls.