Large enterprises have turned to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in the cloud, such as AWS, Azure or Google, to fulfill business demands in a reliable and scalable way. Some organisations have jumped in feet first with a stated end goal of adopting 100 percent cloud with a “cloud first” mentality, while others are experimenting with a hybrid approach of on-premise and cloud infrastructure. This flexibility is a great option for meeting evolving business requirements, but it can also present a headache for those responsible for securing these environments.
[easy-tweet tweet=”Flexibility is a great option for meeting evolving business requirements” hashtags=”tech, cloud”]
A multi-cloud environment could have many faces; it could be different cloud IaaS and PaaS providers, or a single provider with multiple accounts; for example one for development, one for testing and one for production applications, which is generally considered best practice. With the rapid adoption of cloud infrastructure, ensuring security and compliance in these environments is one of the biggest challenges modern CISOs face. While most CIOs are tasked with developing a digital transformation strategy, the CISO is responsible for ensuring this strategy does not introduce risks or new threats to the organisation, often confronting an uphill battle and pressure to go in blindly. The challenges can be attributed to changes in ownership of technology, reduced overall visibility and new gaps in governance.
To overcome these security hurdles and maintain a consistent approach to defense and monitoring, there are a number of actions organisations should take in order to make the digital transformation run much more smoothly.
Tell the CISO
From the outset, the CISO and security teams need to be aware of plans for moving infrastructure to the cloud, not just to be able to assess the risks and forget about it, but also to be involved with the security architecture in these environments. Once the security measures are established, there needs to be effective and consistent monitoring to maintain the organisation’s security posture.
Figure out who is responsible for what
Often application and infrastructure teams have significantly more experience working in cloud infrastructure environments. In many cases, security teams should take advantage of the application teams experience and assume a role of governance versus operations. And in all cases, clear definitions of responsibility should be established.
[easy-tweet tweet=”Security teams should take advantage of the application teams experience” hashtags=”tech, cloud,”]
Technology can help
With complex and diverse environments, it can be worthwhile to invest in security management technology that helps organisations get a holistic view, from risk to compliance and threat monitoring. One that covers multi-cloud environments will be especially beneficial to large enterprises for maintaining a consistent security posture while still being able to take advantage of all the cloud has to offer.
Don’t just say “no”
A lot of times the security team gets a bad reputation for just saying “no”. A more effective approach is setting standards that enable IT and infrastructure teams and help to set boundaries so that each party wins. If the security team is seen as a hindrance to innovation and productivity, it will just end up being bypassed altogether and that is a much more dangerous situation.
No matter what an organisation’s cloud journey looks like, establishing consistency in security defense and threat monitoring and maintaining a good security posture will always be the number one challenge. It is not a transition that will happen overnight, but by following the advice above, organisations can take a less bumpy route to digital transformation and use the cloud to its full advantage more securely.
Jody Brazil, co-founder and chief product strategist, FireMon
As co-founder and Chief Product Strategist of FireMon, Jody Brazil is a seasoned entrepreneur with more than two decades of executive management experience and deep domain expertise in all aspects of networking, including network security design, network security assessment and security product implementation.
Comments are closed.