Skip to content
CTP is part of HPE Pointnext Services.   Explore our new services here →
  • The Doppler Report
Cloud TP Logo
  • Thought Leadership
  • Clients
  • Services
  • Careers
  • Contact Us

Cloud Technology Partners

CLOUD SERVICES

  • The Cloud Adoption Program
  • Application Migration
  • Software Development
  • Infrastructure Modernization
  • DevOps & Continuous Delivery
  • Cloud Security & Governance
  • Cloud Strategy Consulting

TECH DOMAIN

  • Amazon Web Services
  • Google Cloud Platform

ABOUT US

  • Company Overview
  • Leadership Team
  • Partners
  • News & Recognition
  • Announcements
  • Weekly Cloud Report
  • Client Case Studies
  • Events

CAREERS

  • Join Us
  • Job Opportunities
 Cloud Technology Partners
  • Doppler Home
  • Client Case Studies
  • Podcasts
  • Videos
  • White Papers
  • Quarterly
  • Events
  • Subscribe

The Hidden Opportunity of Security in the Public Cloud

68% of IT leaders see security and compliance challenges as the biggest barriers to public cloud adoption. But what if we look at security another way? What if security in the cloud isn’t seen as an obstacle but rather as an opportunity to further transform your organization? What if moving to the cloud presents a chance to rethink your entire approach to security?
Mark Gilmor VP, Principal Architect
December 9, 2019December 10, 2019 THE DOPPLER
Share this 
doppler_mail1

For more content like this, Get THE DOPPLER
email every Friday.
 
Subscribe here  chevron_right

“My people are overworked! We are understaffed! And you keep increasing the attack surface!!!” Thus  said every security person ever. To a large degree, the words ring true. Organizations are taking advantage of new technologies that increase the threat vectors for their already strained security resources. As bad as that is, it is simply the natural evolution of business, where organizations must maintain their technical debt while reaching out to take advantage of the next generation of technologies. Enterprises also need to become more agile and responsive. Not only is the attack surface expanding — the business side wants IT to move faster. 

“According to ESG research, 51 percent of organizations report having a ‘problematic shortage’ of cybersecurity skills in 2018. This is up from 45 percent in 2017. This skills shortage has multiple implications. Organizations do not have the right sized teams, and operate in a perpetually understaffed mode. Often, the cybersecurity team lacks some advanced skills in areas like security analytics, forensic investigations or cloud computing security, putting more pressure on the most experienced staffers to pick up the slack.” – CSO Online FEB 6, 2018

Security people are being pushed back on their heels, and the rest of the business is only making it worse. So, where is the “hidden opportunity” in all of this?

What the Cloud Offers Organizations That Is Different

Part of the “hidden opportunity” for security professionals is to take a step back and re-evaluate how they approach security in their organizations. Moving to the public cloud can be their catalyst. If done correctly, organizations will come back to the capabilities that define their security posture, and then determine how those capabilities will be executed in the public cloud. 

This focus on capabilities will also help enterprises inherently understand their security standards and regulatory implications.  When organizations go to the capabilities level, the conversation moves away from “how can I move a security tool out to the public cloud?” to “what is the capability I am trying to satisfy?”  Essentially, the organization gets to rethink its security approach. Most importantly, it gets to try new methods and approaches that embrace next-generation security. Are you smelling the “hidden opportunity”? 

Capabilities in the Public Cloud

It does not matter which public cloud you are moving to. Capabilities, by definition, describe what you are trying to accomplish from a technology perspective — or for our purposes, from a security perspective. How you accomplish those security capabilities is a downstream event; therefore, the consideration of security capabilities should always be cloud agnostic. The focus on security capabilities is also not just for a move to public cloud. It holds true for any technology move, whether it involves IoT, SAP, private cloud or any other shift you can think of. Those situations are not relevant to this conversation, but they are important when planning for the future.

What Bubbles Up?

When designing a secure public cloud environment, certain aspects bubble up as primarily important. This does not infer that other aspects are not important; they just play a less significant role in achieving your overall security goal (or paradigm) in the cloud, and are less influential in creating the “hidden opportunity.”

Here are the primary security-related stances you should adopt in every public cloud move. They align with the guiding security principles you should consider within your organization:

1.  Assume You Have Been Breached

In this model, it is not a matter of if you will be breached — it is a matter of when. This sets the table for the organization to start from a completely different mindset. It is one focused on both minimizing the opportunities for a breach, and making sure that, if a breach occurs, all the processes involved are mature enough to enable fast remediation.  For more detail, read Stuart Stent’s article on why you should assume that you have already been breached.

2.  Tag Everything

Tagging is your keystone. Tagging allows you the opportunity to create the metadata that produces the visibility needed in these potentially fast-changing environments. In the ephemeral world of cloud, only tags will allow you to quickly derive meaning from the countless log sources, from either environments or tools watching those environments. 

3.  Encrypt Everything 

Encryption is  inexpensive, relatively simple and absolutely necessary. With any public environment, it is a given that you must understand your data and protect it accordingly. There are implications to having your data hosted somewhere else; so, identify, classify and secure it appropriately. By encrypting everything, you give yourself a safety net for misclassified data. You increase the level of obfuscation of all data types, and you allow yourself the ability to crypto-shred–either with the cloud service provider (CSP), or on your own terms, on premises in a bring your own key (BYOK) scenario. The bottom line is: if you do not encrypt at this point, you are subjecting yourself and your organization to real risk when you are in a public cloud.

4.  Log Everything 

Logs are your buckets of visibility. Use all log successes and failures to understand where you stand in your environment. Control access to those logs by enabling roles, and then access accordingly. Finally, be sure to audit your logs on an annual basis. 

5.  Life Is Difficult Enough in the World of Identity

Federate into your CSP, and maintain access in your identity source of truth. Do not try to maintain users in yet another source.  Use clean roles for role-based access control (RBAC). Reaffirm your role maturity on premises. If you do RBAC badly on premises, start fresh in the public cloud. And absolutely use Privileged Access Management in the cloud. As organizations already know, most problems begin with elevated access. And lastly, cloud is a nonstarter without Multi-Factor Authentication (MFA). Be sure to enable MFA on root access, as well on any privileged access in the cloud.

6.  Continuous Compliance Continuously

You do not own everything in the public cloud, but what you do own, you should know intimately and continuously. That means you need to take advantage of existing cloud-native or third-party compliance tooling for the CSP on the cloud infrastructure, to watch for things like unencrypted buckets. You need compliance measures in the image pipeline; you need compliance measures on instances; and you need compliance measures with your data. All this visibility should be combined with automated actions to maintain the velocity the cloud should be giving you. 

7.  Keep Bad Habits On Premises

You have had 20 years to do things right on premises. You know your technology inside out, and therefore know where the bodies are buried. If you are not doing something great on premises, please, please, please, do not bring that  challenge to the cloud. Cloud is your moment to rethink the following processes:

  • Image management
  • Configuration management 
  • Change management 
  • Patch management 
  • Identity and access management
  • And much much more

We hesitate mentioning automation, but in each one of these areas, automation is a key component. If you are not using automation in the cloud, you will not be able to scale securely. It is that simple.

What Is All This About a “Hidden Opportunity”

Scoping out security in the cloud shows you what is possible on premises. The “hidden opportunity” lies in the premise that if organizations can prove security effectiveness and efficiency in a public cloud environment, they can translate those good habits on premises. 

You have abstracted your security approach and applied it to the cloud. You have shown that you can achieve automation, secure deployment pipelines, immutable infrastructures, continuous compliance and consistent protection of data, all in the cloud. Now, by applying these security approaches on premises, you will upgrade your overall security ecosystem, your team will no longer be overworked and understaffed — and as security professionals, you can move from being “back on your heels,” to “ready to sprint.” Freeing up time for your overburdened security resources. This ultimately is your organization’s “hidden opportunity” to turn the tables on its security attackers, bringing the fight to them.

Share this


Related articles

 

5 Steps to Building a Cloud-Ready Application Architecture

 

The Cloud Adoption Blueprint: 10 Best Practices for Success

By Robert Christiansen

 

All in on AWS

Related tags

Cloud Adoption   public cloud   Security

Mark Gilmor

Mark Gilmor is a VP Cloud Architect and Security Practice Lead at Cloud Technology Partners.

Full bio and recent posts »



Find what you're looking for.

Visit The Doppler topic pages through the links below.

PLATFORMS

AWS
CTP
Docker
Google
IBM
Kubernetes
Microsoft Azure
OpenStack
Oracle
Rackspace

BEST PRACTICES

App Dev
App Migration
Disaster Recovery
Change Management
Cloud Adoption
Cloud Economics
Cloud Strategy
Containers
Data Integration
DevOps
Digital Innovation
Hybrid Cloud
Managed Services
Security & Governance

SUBJECTS

Big Data
Blockchain
Cloud Careers
CloudOps
Drones
HPC
IoT
Machine Learning
Market Trends
Mobile
Predictive Maintenance
Private Cloud
Serverless Computing
Sustainable Computing
TCO / ROI
Technical "How To" Vendor Lock-In

INDUSTRIES

Agriculture
Energy & Utilities
Financial Services
Government
Healthcare
Manufacturing
Media & Publishing
Software & Technology
Telecom

EVENTS

CES
DockerCon
Google NEXT
Jenkins
re:Invent


 

Get The Doppler

Join 5,000+ IT professionals who get The Doppler for cloud computing news and best practices every week.

Subscribe here


Services

Cloud Adoption
Application Migration
Digital Innovation
Compliance
Cost Control
DevOps
IoT

Company

Overview
Leadership
Why CTP?
News
Events
Careers
Contact Us

The Doppler

Top Posts
White Papers
Podcasts
Videos
Case Studies
Quarterly
Subscribe

Connect

LinkedIn
Twitter
Google +
Facebook
Sound Cloud

CTP is hiring.

Cloud Technology Partners, a Hewlett Packard Enterprise company, is the premier cloud services and software company for enterprises moving to AWS, Google, Microsoft and other leading cloud platforms. We are hiring in sales, engineering, delivery and more. Visit our careers page to learn more.

CWC-blue-01

© 2010 - 2019 Cloud Technology Partners, Inc., a Hewlett Packard Enterprise company. All rights reserved. Here is our privacy policy CTP, CloudTP and Cloud with Confidence are registered trademarks of Cloud Technology Partners, Inc., or its subsidiaries in the United States and elsewhere.

Do Not Sell My Personal Information

  • Home
  • Cloud Adoption
  • Digital Innovation
  • Managed Cloud Controls
  • The Doppler Report
  • Clients
  • Partners
  • About CTP
  • Careers
  • Contact Us
  • Most Recent Posts
  • All Topics
  • Podcasts
  • Case Studies
  • Videos
  • Contact
Our privacy statement has been changed to provide you with additional information on how we use personal data and ensure compliance with new privacy and data protection laws.  
Please take time to read our new Privacy Statement.
Continue