There are many reasons for enterprises to move to the cloud. It might be “emergency migrations” to cope with the uncertainty and upheaval of the COVID-19 pandemic. Or, it could be part of a longer-term IT modernization plan. Whatever the reason, the cloud represents a basic challenge to IT departments: it’s a fundamentally different environment, which makes it prone to human error. This is why, cloud misconfigurations – a fancy term for “human error” – are by far the no. 1 cause of cloud data breaches.
Migrating to the cloud does not have to be fraught with risk, however. If the migration follows a well-constructed strategy and taps the right skills, processes and understanding of the shared-responsibility model, risk can become quite manageable. Here are some foundational elements to consider for controlling risk in the cloud:
- Strategy – At the most basic level, organisations need to examine the business rationale for moving to the cloud in the first place. Is there a program in place for effectively using the cloud? And, is that program broad enough to fully consider how to address any new risks introduced by the cloud environment? Or, it may be that the risk level remains the same as it was in the old environment, not now it’s in the cloud. What does it mean when the “same old risk” now lives in the cloud?
- Talent – There is already a critical worldwide shortage of cybersecurity talent. According to ISC(2)’s 2019 Cybersecurity Workforce Study, there are currently 2.8 million cybersecurity professionals in the world and another 4 million are needed to close the skills gap. A similar shortage is developing around cloud skills in general, and cloud security skills in particular. When organizations consider cloud initiatives, it’s imperative to understand if the right talent is in place to successfully migrate and secure systems in the cloud. And even if it appears the right “numbers” of skilled workers are in place, it’s important to understand if those workers are focused on the right areas and subdomains, so they can be effective at securing the cloud environment.
- Development Processes – Many organisations today have moved to DevOps as their process for building, deploying and updating applications in the cloud. Is security integrated into that DevOps process (known as DevSecOps)? Or, are things working the old-fashioned way, where developers and security pros work in silos, inevitably putting security in perpetual “catch up mode,” where they have to secure already-deployed applications after the fact. To effectively manage risk in a cloud world, organizations need to move to the DevSecOps model so security can be built into the development process.
- Understanding Cloud Operating Models – Cloud providers operate under a shared-responsibility model: the cloud provider is responsible for the performance and security of the cloud infrastructure, the customer is responsible for everything sitting on top of that infrastructure. Cloud providers have built a robust set of security tools for customers to use – but that can bring its own level of complexity. Does the security team know which cloud-native tools to use? And if they don’t use them, are they creating risk? And do they know exactly what they are configuring? Questions like these are often not contemplated until after the fact, which is a contributor to the breach-by-misconfiguration problem cited earlier.
These are just some of the issues to consider when embarking on a cloud journey. By setting a sound strategy, and aligning talent, processes and an understanding of the cloud operating model, enterprises can embark on a transformational cloud journey that grows their business, not their risk.
By Sean Peasly, Deloitte