Moving to the Cloud? Here’s What to Consider Before You Make the Trip
March 3, 2016
Herjavec Group Contributors: Shawn Ershad, Robert Steadman & Michael Dundas
“You don’t know what you don’t know."
It’s the mantra of cybersecurity professionals globally as we all strive to gain visibility into our organizations’ information security efforts. When speaking with boards, we often remind them of the importance of balancing the effectiveness of their existing technology deployments with their Governance, Risk and Compliance requirements. You’ve got to peel the onion back to truly see the (hopefully robust) cybersecurity framework in place, and the current weaknesses within the system. We’re seeing many customers attempt to gain this visibility by moving their workload to the cloud.
Security in the cloud forces a shared responsibility. Typically the Cloud Service Provider (CSP) will take care of the physical security of their data centers and equipment – meaning the physical hardware, networking and the security of the cloud infrastructure & hypervisor. The customer is usually responsible for everything that runs on this infrastructure – including the operating systems, applications and services as well as the configuration of these items. Keep in mind, when you approach the network, who is responsible can become murky. For example, while the Cloud Service Provider will protect their infrastructure from DDoS attacks, an attack that is directed at your application or service that does not impact the CSP’s other customers or infrastructure will fall on you to manage.
So, how does one manage security effectively in the cloud?
Frequent security assessments are one of the tools an organization can use to identify weaknesses in their processes and systems. These assessments should include some key components such as vulnerability assessments and penetration testing. Keep in mind that network level testing may trigger alarms for your Cloud Service Provider. Beyond the network, the testing you conduct at the service and application layers should be similar to testing you currently do today, albeit with a few modifications as required. These tests offer reassurance that critical systems are capable of tolerating a data breach or cyber-attack. Their results can also point to gaps that must be rectified urgently.
Most organizations leverage ethical hacking methods to explore their critical infrastructures including internal and external IP addresses, applications and hosts, but often miss the full scope of the Cloud Service Providers at play in their environment. Again, when testing, one needs to keep in mind where the provider sees their area of responsibility and where the customer sees theirs, with respect to security, and adjust the methods accordingly.
Here are a few critical considerations before engaging a Cloud Services Provider (CSP):
- Confirm with your CSP if they perform frequent penetration testing on their client environments.
- What is the CSP responsible for and what do they test?
- How frequently are tests performed?
- What methodologies are utilized for the tests?
- Will the CSP share the detailed results on the cloud services being utilized by your organization with you?
- What is the division of security roles and responsibilities between your organization and the CSP?
Based on your organization’s resources and cloud skillset, it may be advisable to engage a third party security firm to manage your penetration testing and overall security posture in the cloud. While visibility is typically the key challenge facing most organizations looking to migrate workloads to the cloud, consistency is an additional concern.
We recommend having a Cloud Security Framework in place to help your team navigate the migration and eventual management of your cloud workload. Often, this framework is a modification of your existing framework to support cloud initiatives. This Framework includes:
- Having a cloud governance committee and understanding what groups are part of the review process
- Developing a cloud security training program
- Classifying your data and understanding its sensitivity level
- Finding an executive sponsor
- Reviewing your compliance concerns and addressing them
- Benchmarking your key levels in terms of visibility, control and access
- Developing a process for consistent auditing and monitoring against the key categories and levels identified
If you have questions relating to cloud security or security consulting, please fill out the form below:
[contact-form-7 404 "Not Found"]
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity solutions and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services globally supported by a state-of-the-art, PCI compliant, Security Operations Centre (SOC), operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including head offices in Toronto (Canada), New York City (USA), Reading (United Kingdom) and Sydney (Australia). For more information, visit www.herjavecgroup.com.