Organizations are rapidly moving to cloud providers for legitimate reasons, including reduced costs, digital transformation initiatives, and improving the agility of business. This allows organizations to focus on distinct, core competencies and how to generate revenue or deliver services.
The operational strategies of the business shift and lessen in most areas; however, there are considerations to review when moving to the cloud, which include cyber security. Moving to the cloud transfers risks in many areas and creates new risks.
As security professionals, we must understand these risks and guide the discussion about acceptance and mitigation of these risks. We must also ensure that executive management is aware of these items and do not adapt cloud solutions with a false sense of security that the cloud has eliminated or adequately addressed security’s heavy lifting.
A major contributor to breaches when adaption of cloud is in place is the misconfiguration of cloud workloads. According to IBM X-Force, “in 2018 misconfigured cloud workloads have led to exposure of more than 990 million records. The number of publicly disclosed incidents attributed to misconfiguration increased 20% year-over-year. Typical cloud misconfigurations mentioned in the report include publicly-accessible cloud storage, unsecured cloud databases and improperly secured backups.”
See Related: Embracing The Cloud Without Compromising Security
Accomplishing the task of risk mitigation involves asking the right questions. General questions to ask are:
- Do we have the right to audit? How does the provider prove audit compliance?
I simplify this example to an often-used phrase of mine; “you can tell me you love me all the time; how are you showing me you love me?” This expands to not just a right to audit, but the limitations of the audit. Are you able to set your hackers loose on the solution? Are there windows of time that is allowed? Are you only allowed to view their third-party reports? Is it the full report or just an executive summary? There are a slew of questions to explore here. You must decide the ones that best suit your business goals.
- Availability – DR and BCP
Availability includes up-times, and from the security perspective includes the question, “Can folks access the systems and data when they need it?” The organization must understand the expectations of availability. Cloud providers remove the burden of the cost, management, and heavy lifting of backups and recovery. The organization must ensure and discuss its needs and ensure the cloud provider meets these requirements.
- Regulation compliance
Many organizations are held accountable to regulations including HIPAA, GDPR, IRS 1075, and PCI-DSS. Cloud providers alleviate the tedious work of meeting and maintaining these requirements. As the security leader, you must ensure the business is aware of what regulations you are subject to. In addition, you must provide the discussion leadership about how this is accomplished and proven with the cloud provider.
- Data access & ownership
Where is data stored? Does your organization require a single tenant or is multi-tenant acceptable? Must your data stay within the boundaries of your nation? Who owns the data according to the provider’s contract? What are the steps and agreements if you decide later to change providers? How is that data transferred and protected?
- Incident response
Incident response is another advantage of moving to a cloud provider; however, do you understand your organization’s role in the IR process? What will the provider do and not do, or be accountable and responsible for?
Discussing the IR plan with the provider and ensuring these items are in the contractual agreement are a paramount control.
- Retention and destruction
How long is your data stored? Understanding your compliance requirements lends to this discussion. HIPAA data, for example, is required to be maintained for seven years. Does the provider accommodate that? Or does it cost extra?
The second part of this discussion is the destruction of your data. How is this done? Does it meet standards required by your organization or regulators? How does the service provider prove it?
How are the systems and applications configured? This is an important discussion; however, referring to the IBM report, a majority of breaches occur on the customer side due to misconfigurations. You must ask yourselves if the resources exist to properly configure the access, custom code, settings, etc. that reduce the risks to the data and the cloud resources.
Starting with these general and involved questions prepares a solid foundation for your organization to make informed decisions on moving to a cloud solution. Moving to the cloud does not replace your security office or the need for one. It simply requires the security office to adjust and realign based on the needs.
There is no need to re-create the wheel either. There are numerous resources, groups, and information currently available that aid in securely migrating to the cloud. Check out the many articles right here on Cyber Security Hub, explore Cloud Security Alliance Cloud Controls Matrix, or subscribe to one of the many blogs or group discussions about cloud security. Most importantly, hire security professionals and listen to them.