Three out of every four organizations on the planet have some sort of cloud presence. According to a 2018 IDG survey, 77 percent of enterprises now have at least one application or some portion of their enterprise computing infrastructure in the cloud. Enterprises also revealed in that same report that they planned to invest an average of $3.5M on cloud apps, platforms, and services.
Go here to see a listing of eWEEK's Top SIEM Companies.
Go here to see eWEEK’s listing of Top Cloud Access Security Brokers.
Looking forward, executive management at technology-dependent industries—including manufacturing, high-tech and telecom—are increasingly driving toward become 100% cloud-enabled. This also means that, except for those new startups starting with a full cloud-based infrastructure, most organizations are currently either actively migrating their infrastructure and/or applications to the cloud and trying to bridge their business processes, applications and workflows between a local physical network and one or more networks residing in the public cloud. If they're not now doing this, they are planning to do so.
One of the challenges these organizations face is creating a consistent security posture across their local and cloud-based resources. The reality is that not all security policies can be successfully and seamlessly implemented across a multi-cloud environment, especially when using a variety of tools. That’s because most vendor solutions do not support all of the major cloud platforms. Many also do not support native cloud integration. This can create challenges in enforcement consistency and policy definition as workflows and applications move among different cloud environments, resulting in security gaps and blind spots that can be exploited.
Successfully Migrating Security to the Cloud
Migrating infrastructures, applications, or services to the cloud without expanding the attack surface or increasing security overhead requires careful preparation. This starts by understanding that any cloud-based deployment, whether building out a new infrastructure or building a new application, requires clear communication between lines of business, IT and security teams. Without clear communications about business needs and objectives and a candid discussion of related threats, organizations open themselves to a whole array of new risks, including new denial-of-service attacks targeting cloud resources, cloud malware injection, web application exploitation, cloud-API attacks, and account or service hijacking.
Successful cloud migration also requires successfully migrating security to the cloud, enabling organizations to deploy and manage a single, consistent security framework that spans the entire multi-cloud infrastructure.
This eWEEK Data Points article, using industry information from Lior Cohen, Senior Director of Products and Solutions, Cloud Security, at Fortinet, offers seven steps every organization should consider when planning a cloud adoption or cloud migration strategy.
Data Point No. 1: Baseline Your Security Before Moving to the Cloud
Far too many organizations own security architecture built around isolated security devices, decentralized management and an inconsistent application of security policies.
If this is the case for your organization, you will need to start by getting control of your security sprawl and imposing a central security strategy. Once that is in place, you then need to ask the following questions:
- Do you know your current security posture and its implications for your future business goals?
- Do you have the proper policies and procedures in place for your current and future environments?
- Have you performed a gap analysis for how cloud will change your security paradigm?
- What are the impacts of a distributed, cloud-based network on risk management?
Data Point No. 2: Planning for Bandwidth Requirements
You will need to model and understand data flows and bandwidth requirements to ensure that your security solutions can meet performance requirements, especially for latency-sensitive services that will require to go through VPN (virtual private network) tunnels.
Data Point No. 3: Understanding Compliance Issues
Ask yourself these questions: What requirements do you have to meet for data processed and stored on the cloud, as well as for data that moves between different cloud and physical network environments? It is crucial that your legal team be consulted before you begin to build or adopt any sort of cloud program?
Data Point No. 4: Providing for High Availability and Disaster Recovery
The biggest fear for most organizations looking at a cloud solution, after addressing security concerns, is the availability of cloud-based resources. You also need to understand if dynamic scaling is required and whether your security solution can meet new performance requirements. Finally, you need to consider things like flow symmetry and load balancing, especially for legacy applications in order to maintain availability, performance and protection—even when utilizing dynamic cloud based services.
Data Point No. 5: Applying the Right Security at the Right Place
Cloud security requires much more than simply placing a firewall at the perimeter of the cloud infrastructure. A wide range of security solutions will need to be applied depending on the applications running and services being used. A next-generation firewall solution is the most common security tool to be applied, but other solutions are often also required, including WAF (web application firewall), IPS/IDS (intrusion prevention system/intrusion detection system) and a CASB (cloud access security broker).
Data Point No. 6: Establishing a Lifecycle Management Framework
Ensuring consistency between security solutions and policy enforcement, especially when they span multiple environments, is crucial. Security tools need to be specifically chosen not only for their ability to operate natively in a specific cloud platform, but also for their ability to interoperate seamlessly through the entire security policy lifecycle with sister solutions deployed in other environments. This includes: Consistent security change policy, dynamic provisioning and scaling, single point of management—including integration with a central ITSM solution, and central log collection and correlation.
Data Point No. 7: Don’t Let Ease of Cloud Trick You into Shortcutting Security
Adopting a cloud service can be as simple as clicking a link. Adding a new cloud-based infrastructure, while much more complex, is far simpler than building its physical counterpart. But that can be deceptively simplistic. Far too many organizations have had to pay the price for rushing into a new cloud solution without carefully considering challenges related to security. These have ranged from opening new attack vectors into their network to being unprepared for new cloud-based threats, to being blindsided by fines and penalties for failing to adequately prepare for new compliance considerations.
Careful preparation before you begin to build out your new cloud infrastructures, platforms, or services can save you time, money, and reputation and enable you to compete effectively in today’s new digital marketplace.