What are some of the security considerations an organization should make before embarking on migration to cloud?Considering there is a business requirement, the foremost consideration is that organizations should have a sound in-house information security program in place supported with policies, procedures, standards, guidelines, and regulatory and compliance requirements. Then we must take into account the data classification and data protection regulations that shall dictate the roadmap to migration. Based on the above two security-related factors, we determine which processes, systems and data can be migrated and what service model will best suit our needs for each of the selected application/resources in line with our security program. The next important step is choosing the Cloud Service Provider (CSP). From a security point-of-view; this will include a comprehensive survey of contracts, terms and conditions, and SLAs. The main factors to consider include: security standards claimed, data ownership, shared responsibilities, non-disclosure agreements, dispute handling, and auditing/pen test requirements. Finally, when a particular CSP is chosen that is in-line with our security programs, we need to revise our programs like risk management, configuration/change management, vulnerability management, business continuity and disaster recovery plans, incident handling, security assessments, security awareness and training, and forensics to take into account the cloud deployments. This is augmented by designing a security architecture around hybrid deployment. Some of the guidelines can include the following recommendations:
- The first important factor is to design a high-level architecture in terms of the level of integration and coupling between on-premises and in-cloud resources. This will give us an overview of how some resources are interconnected while others are standalone in one of the two environments. We also need to define flow of data and carry out a threat modelling at each node.
- We then define the functional architecture where we go into details like choosing the type of integration, securing flow of traffic and data, identity and access management, encryption, key management, protocols and endpoint security. This will define our overall picture of the security and also determine the roles and responsibilities, requirements and categorization of controls, their placements, and our residual risks. This should be presented in a risk assessment for approval from management and get revised to align with business goals and the organization's accepted risk level.
- Finally, we need to define the operational support architecture (stakeholder views) that should help in drafting the respective department’s policies, procedures, guidelines and best practices. This can include change management, vulnerability management, configuration management, SIEM and DLP implementation, aggregation and correlation of audit logs, security assessments, compliance and auditing, business continuity and disaster recovery, etc.
Migration to the cloud with TripwireCloud adoption will increase business in terms of competitive markets; however, it comes with its own high risks. As DevOps engenders more automation, traditional security is likely to fail mainly due to its perimeter focus, reliance on security appliances, heavy footprints on endpoints, lack of automation, slow and strict change control process, and inability to scale for cloud elasticity. The security as a result has to keep up with the pace, and DevOps should evolve to DevSecOps with security embedded in the internal processes before cloud deployment. Here is a checklist that may provide a framework for cloud security:
- Carry out cloud threat modeling.
- Secure your deployment pipeline.
- Integrate security into the deployment pipeline.
- Perform continuous monitoring.
- Report on metrics to monitor/update your processes 1-4.