The cloud adoption is everywhere.. everyone is doing it, but that doesn’t mean they’re doing it right. CompTIA reported recently that 90 percent of companies are using cloud computing in some form.
The CISO Platform Playbook Round Table discussion happened with 34-40 CISOs across metros along with VMware. The discussion was driven by Bikash Barai and the inputs from the discussion have been put together (CISO names are not provided based on privacy guidelines).
The below challenges and its resolution seems daunting however taking up one at a time and following a 90 day roadmap or a 180 day roadmap is a small way to start.
Challenges In Modern Cloud Environment
Gartner Says "No less than 90% of organizations will adopt hybrid infrastructure management capabilities by 2020. For hybrid-cloud architectures, concerns remain about data protection, security, and compliance.
- Visibility & Control/Visibility across multi cloud environment
- As customers start using the public clouds for eg Azure, AWS, and Google along with private clouds such as OpenStack—complexity and risk grows exponentially. This makes it very challenging for companies to view and control the distributed systems that make up the infrastructure.
- Managing security of hybrid cloud/ Data Security
- Security is in itself challenging, but hybrid cloud increases the complexity. You need to protect both "data at rest" and "data in motion".
- Compliance & Governance/ International standards and cooperation
- One of the biggest challenges is that many companies are still manually checking to see that they are compliant and meeting custom or regulatory security baselines for security compliance and auditing requirements. This is a complex, and error-prone process - companies need to automate the scanning and remediation of security controls using open-source tooling.
- Despite a common theme, different countries have developed data protection regimes that sometimes conflict with each other. As a result, cloud providers and cloud users operating in multiple regions struggle to meet compliance requirements. In many cases, the laws of different countries might apply concurrently, in accordance with the following:
- The location of the cloud provider
- The location of the cloud user
- The location of the data subject
- The location of the servers
- The legal jurisdiction of the contract between parties, which may be different than the locations of any of the parties involved
- Any treaties or other legal frameworks between those various locations
- Shadow Cloud: Different teams may procure cloud instances without informing the central security team. If you don't know what to protect then you cannot protect it.
- Micro-segmentation / Isolation
- Micro-segmentation is the ability to put a wrapper around the access control for each component of an application. It helps administrators to control and set granular policies to protect the application environment.
- Zero Trust
- Zero Trust (ZT), introduced by analyst firm Forrester Research, is an alternative architecture for IT security which simply means that we cannot trust the perimeter to keep the bad guys out, and is designed to address lateral threat movement within the network by using micro-segmentation and granular rule enforcement, based on user, data and location.
- Strict SLA and governance / responsibility for managing security
- Regulatory compliance is now accepted as a data security essential for several business sectors however applying such data protection legislation to the cloud can become a nightmare. Sarbanes-Oxley in the United States and the Data Protection Act in the UK requires companies to retain responsibility for their data at all times, and that legal jurisdiction component will also include a cloud provider if it handles enterprise data.
- How to stay ahead
- To stay ahead the key is in establishing a close relationship of emerging technologies with cloud computing, including Big Data, Internet of Things, and mobile computing.
- Under the Privacy and Security Guidelines of the Organization for Economic Cooperation and Development (OECD), the data controller (typically the entity who has the primary relationship with the individual) is prohibited from collecting and processing personal data unless some of the criterias are met. These laws define numerous obligations, such as confidentiality and security for the entities that access personal data. When entrusting a third party to process data on its behalf (a data processor), a data controller remains responsible for the collection and processing of that data. The data controller is required to ensure that such third parties take adequate security measures to safeguard the data.
- Immutable Architecture
- Auto-scaling and containers, work best when you run instances launched dynamically based on an image. Those instances can be shut down when no longer needed for capacity without breaking an application stack. This is core to the elasticity of compute in the cloud. Thus, you no longer patch or make other changes to a running workload, and since that wouldn’t change the image, therefore, new instances would be out of sync with whatever manual changes you make on what is running. These are called virtual machines immutable.
Some Other Challenges:
- How to be up to date with New Trends In Security Architecture
- Knowing Adaptive Security Policy
- Creating Seamless policy deployments/Policy Orchestration
- Security as a Code
- Automated Security Baselining
Sample Cloud Security Road Map - 90 Days Plan
- Understanding business + priorities and stakeholders + team + budget + roadmap
- Asset Inventory – Foot-printing and shadow IT discovery
- Asset Classification
- Study of current contracts and SLAs (Exit clause..)
- Cloud security gap assessment + Roadmap
- Identify, Protection, Detection, Response, Recovery
- Access Control review
- BCP and DR review
Sample Road Map -180 Days Plan
- Key Metrics and Dashboard
- Cloud security architecture review and testing
- Reducing attack surface
- BCP Test
- Table-top Drill for BCP/DR and Crisis management
- Security automations opportunities
- Cloud security policy
All Rights Reserved @ CISO Platform. Reproduction of this in any form without prior written permission is not allowed. The information herein has been obtained from sources that we believed were reliable. The opinions expressed herein are personal and might change. CISO Platform disclaims all warranties as to the accuracy, completeness or adequacy of such information.