Whether organisations have migrated some or their entire infrastructure to the cloud, or are still considering the move, they should be thinking about security. Too often, organizations assume a certain level of protection from a cloud service provider and don’t take steps to ensure applications and data are just as safe as those housed in the data center.
The sheer range of cloud technology has generated an array of new security challenges. From reconciling security policies across hybrid environments to keeping a wary eye on cloud cotenants, there is no shortage of concerns. An increasingly complex attack landscape only complicates matters and requires security systems that are vigilant and able to adapt.
Below are nine tips to consider before, during, and after a cloud migration to stay ahead of the curve when evaluating security solutions for cloud service :
Plan for Hybrid Environments: The majority of organizations will have applications housed across hybrid environments, requiring CIOs to coordinate security policies across these environments. It might be tempting to rely on cloud service provider for security, but that could lead to risky inconsistencies. Identify security services that overlay a number of different cloud-based apps and provide the same technology and policy management for on-premise applications.
Start with Low Risk Assets: As companies begin migrating to the cloud, they should start with data and apps that are less sensitive or mission-critical. CRMs, for example, might not be as sensitive to downtime or data loss. Until they have vetted the reliability and security of a cloud service provider, should avoid migrating high-risk assets.
Maintain User Confidentiality: If the cloud provider is defending against encrypted attacks, it might inadvertently compromise user confidentiality. After all, detecting encrypted attacks requires some level of decryption of both legitimate and malicious traffic. It’s important that companies check with the cloud provider to see what solutions it uses and whether their sensitive information will stay private.
Know What’s in the Cloud: A company’s employees are almost certainly using cloud-based applications without the knowledge of IT teams, leaving a trail of vulnerabilities and data leakage. Unapproved cloud-based apps can lead to malware, posing a risk to the network. This problem has generated a new category in the security space: the cloud access security broker.
Don’t Become Collateral Damage: Understand the architecture and security offered by the cloud provider. Sharing computing resources/space can result in outages throughout the network, degraded performance, or denied access for users in certain geographies. If one shares space with the target of an attack, one could become collateral damage. Its important to know if the cloud provider can separate attack traffic from clean traffic to prevent attacks on cotenants of a cloud platform?
Understand Compliance Implications: If encrypted sessions are being terminated in the cloud, its critical to make sure that the provider’s platform or location fit both internal and industry compliance standards. Companies may be required to upgrade or modify security protocols to ensure the cloud service complies.
Detect Where You Can, Mitigate Where You Should: Monitoring for attacks at a company’s own data center is relatively easy, but cloud adoption means critical assets aren’t as “close” as they use to be. That distance can negatively impact timely detection. Organisations should place detection capabilities in front of their cloud-based assets just as they would in their data center. It allows them to assess the attack and determine the appropriate response. For example, turning to cloud scrubbing if it’s a volumetric attack.
Understand the Security Capabilities of Cloud Vendors: As with any service category, cloud hosting providers have different strengths and weaknesses. Some differentiate based on price, others on speed, and others on security. Organisations need to be sure to understand the security capabilities of its provider.
Separate Security Requirements from Hosting Requirements: Organisations ought to be careful to not let business units outside IT take ownership of security. Business units are under a lot of pressure to leverage the cloud to speed time-to-market and reduce costs. Security becomes a secondary consideration. Most of these business teams don’t have the skills or knowledge to assess security requirements.