Cloud security is ever-increasingly becoming an inescapable part of business—the employees of enterprises using the cloud without security are ensuring it. When you move to the cloud, you need to prioritize security—ID federation, user access policies, WAF, data access and protection policies. This article is about the state of the art of preparation, as well as a solid long-term strategy for portability in case you have to move again.
The cloud has become an inescapable part of doing business—and so has cloud security.
Moving an application to the cloud or adopting a new cloud service can be a mixed blessing. For the most part, cloud service providers tend to make their applications more secure than an individual company’s security team would. However, statistics suggest most cloud applications used by employees—an estimated 94.8 percent—are not entirely enterprise-ready. Many companies lack the policies they need to be as secure as possible.
The ranks of enterprises with no cloud policies are rife with employees bringing in their own mobile devices and using their preferred services. An increasingly mobile workforce and the emergence of connected business devices, from printers to your company’s heating system to the break room refrigerator—the Internet of Things—are powered by on-demand services, making the cloud even more important at work. According to the cloud access security broker Netskope, in the third quarter of 2016, the average company had 1,031 cloud applications being used by employees.
With attackers becoming more sophisticated, you need to secure your cloud applications and make smart decisions about how to spend resources on security. While much of the focus on cloud security is on better development practices by app creators, for many companies that are consumers of apps and cloud services—and not creators—the applications often must be secured with zero visibility into their inner workings: the proverbial “black box.” For that reason, securing apps in the cloud should be treated much like securing on-premises devices.
Here are three basic steps to extending your security in the cloud:
1. Get visibility
Just as a business needs to be aware of what is going on with its own infrastructure, your security teams should also have visibility into the use and security of any cloud services. You need to know not only how employees are accessing cloud services, but which employees are accessing them.
You should take advantage of all the logging functionality offered by your cloud provider. Your provider should also be transparent in how it secures its infrastructure and provides information about security controls.
2. Encrypt all data and identities
Business data kept in applications—and the data needed to access those applications, such as identity—become increasingly important when moved to the cloud.
Cybercriminals are taking advantage of inconsistencies between the data center and the cloud.
Because remote access to cloud services is the new normal, the security of data stored in the cloud also relies on the ability to reliably identify users. Security teams should not assume that a user with the right credentials is authorized. Other authentication processes such as two-factor authentication, anomaly detection, and geolocation can all help make access to cloud services more secure and should be used when they do not overly burden workflow.
3. Create policies and educate users
Moving applications to the cloud gives security teams the opportunity (some might say obligation) to extend their policies outside the corporate network. Because any employee with a credit card can deploy a new cloud service, you need policies that are flexible and technology that can detect unsanctioned services—more commonly known as shadow IT.
Whether data is stored on premises or in the cloud, the same overall policies should apply. While complying to regulations is an obvious starting point, your cloud policies need to ensure security and not just compliance.
Robert Haynes is a solutions architect with over twenty years experience in IT. Starting at the bottom as a helpdesk analyst, his lackluster career has lead him through UNIX systems administration, backup and storage, and finally application networking. Having supported, designed, and sold complex IT systems across a range of industries and a number of continents, Robert’s focus is always on the practical implementation and real world use of technology. While this may seem utterly at odds with his current role in marketing for F5 Networks, he likes to think that he is primarily employed to bring balance to the Force.
Robert holds a B.Sc. in Applied Biology from the University of Wales College Cardiff, and a certificate in “Avoiding Collisions While Backing and Parking” from the Driving Dynamics Interactive Advanced Driving School, the latter of which has proved considerably more useful than the former.