Organizations face a number of security challenges when migrating to the cloud from on-premise data centers. Their work isn’t done once they’ve completed the move, either. At that stage, enterprises must decide on the best approach to fulfill their end of the Shared Responsibility Model and ensure “security in the cloud” with respect to protecting their data.
Before enterprises implement a single security measure, they should first make sure that their cloud security decisions align with the business. TAG Cyber LLC’s CEO Edward Amoroso couldn’t agree more:
“I would recommend that you carefully match up your cloud security architecture with the business function being supported. If, for example, a public cloud is being used to support marketing and social networking initiatives, then digital risk monitoring and enhanced authentication might be sufficient. If, on the other hand, critical business functions are being virtualized to cloud, then cloud access security broker (CASB) support, micro-segmented protections, and end-to-end encryption might be appropriate choices.”
From this business-centric focus, organizations can begin to consider implementing security controls in their cloud environments. Tim Erlin, VP of Product Management & Strategy at Tripwire, thinks they should make sure to define those requirements on the required controls only. He doesn’t believe they should use specific technology as their reference point.
“Organizations should define their security requirements based on the required controls, not specific technology,” explains Erlin. “In too many cases, cloud security controls are selected and deployed based on the availability of the technology instead of the real, risk-based requirement. The same controls are generally required for public, private, and on-premise systems. The definition of necessary controls shouldn’t rely on the technology as the starting point. Multi-cloud is a reality today; it’s a trend that’s on the rise. Building security controls around a single cloud provider will ultimately become a limitation and an unnecessary risk.”
With that said, one of the first security controls that enterprises should investigate is encryption. Here’s how information security writer Kim Crawley recommends that companies implement this particular safeguard:
“All data that travels throughout your cloud should be encrypted by some sort of stream cipher. External connections to your cloud should be tunneled through VPNs or SSH as much as possible. If you can make VPNs or SSH mandatory for remote connections to your cloud, do so.”
Encryption can certainly help organizations protect their data hosted in the cloud. But only if implemented correctly and with proper care. Michael Ball, chief information security officer (CISO), thinks companies should pay special attention to who owns and stores their encryption keys.
“For encryption keys in the cloud, make sure that YOU own them,” Ball cautions. “Many cloud service providers allow for protection of critical data through encryption; however, if THEY set up and own the private key for that encryption, then your data is at the mercy of THEIR security controls. If the service provider is breached, so is your data. Should the service provider have to legally hand data over to a 3rd party (government), they can and will also hand over the keys.”
Along those same lines, it’s important that organizations track changes and manage secure configurations of security controls and all IT assets in their cloud environments. Here’s AWS cloud security engineer Sundar Krishnamurthy on the matter:
“Enforce change control and configuration management on your cloud architectures. Everything is a JSON file in the cloud world — your load-balancers, production web servers, WAFs, network configurations for sensitive endpoints, access control lists, and logging. In this world, you get to define your architecture completely in code, and you can make it as detailed and secure as you like it to be. Restrict all access routes for least-privilege/need-to-know basis and get notified whenever the production configuration changes for whatever reason.”
Per Krishnamurthy’s recommendation, access controls are especially important in cloud environments, as they help prevent digital attackers from accessing organizations’ sensitive information. Christina Morillo, senior program manager of cloud & engineering security at Microsoft, understands well the wisdom of access management in the cloud.
“Customers, not the cloud provider, are responsible for determining who has access to their tenant; therefore, it is important to incorporate strong identity and access management controls from the offset,” Morillo notes. “One recommendation is to structure your access based on roles, especially for administrators. Require MFA for high-level operations and add extra layers of protection to privileged accounts by leveraging the cloud providers IAM and PIM tool.”
Encryption and access controls are just two of the security measures proposed by experts in Tripwire’s new e-book, 18 Expert Tips for Effective and Secure Cloud Migration. To learn what other security controls professionals recommend for organizations looking to migrate to the cloud, download the resource here.