Today, moving to the cloud is a business imperative. Cloud enables the scalable, flexible, and cost-effective solutions that enterprises need. But in the realm of cloud, there is still a great deal of uncertainty and hesitation regarding security. Not surprisingly, as Chief Information Security Officer (CISO), one of the most frequent questions I’m asked is “is there a step-by-step approach to keep the cloud secure?”
The short answer is yes. But I would add a caveat: “…but it requires a disciplined, rigorous, and relentless approach–that begins before migration to the cloud takes place.” The approach can be broken into steps, but these steps should be completed in parallel and are iterative.
“Before moving to any cloud environment, be sure that you really understand the vendor’s security strategy, resources, and SLA’s”
Step: Complete a Risk Analysis
Conduct a detailed analysis of today’s real risks and vulnerabilities, as well as tomorrow’s potential risk and vulnerabilities. Consider macro threats, but also consider threats that are specific to your industry or business. Consider worst-case scenarios and consider as many “what-if” scenarios as possible. Collect input not just from your security team members, but also from the business. What’s keeping the business up at night? This analysis provides insight that will inform all decisions. It may even lead you to the decision not to move something to the cloud.
Step: Develop a Prioritized Plan
A plan needs to come before selecting any particular tool or application. If you begin with the tool, you will just find yourself looking for ways to use it. Your prioritized plan may need to be reviewed and approved all the way to the board level, since security is increasingly a board-level consideration. And even for a critical requirement like cloud security, there are only finite resources available. Prioritization and prudent risk mitigation are the name of the game. Your plan will guide you in your tool selection and in allocating your resources appropriately.
Step: Communicate Security Policies
An important process at all times, but especially as you migrate to the cloud, is to develop, publish, and enforce clear security policies and procedures. Provide access only as required. Use encryption. Enforce password policies. Too often we get over involved in the very technical aspects of cloud security, but forget that one of the most important threats facing us is our very natural behavior to avoid certain behaviors, even though they can keep us better protected. Relentless communication and education on these policies and procedures is critical and this is a job that can never be considered “done”. Think your enterprise knows all the policies and procedures? Try sending out a “test” phishing email to your enterprise–the results may surprise you.
Step: Select Your Provider
Selecting your cloud provider is a critical step in your security strategy. Major cloud providers such as Microsoft, Google, and Amazon, have extraordinary security teams working for them. They are continuously monitoring for any attacks, are able to respond incredibly quickly, and are often aware of vulnerabilities well before they are announced. However, only some cloud providers have this level of resources. Before moving to any cloud environment, be sure that you really understand the vendor’s security strategy, resources, and SLA’s. Select a reliable, serious cloud provider whose reputation and business credibility are riding on its ability to keep you secure. Not all cloud providers can--or will.
Step: Prepare a Crisis Plan
One step that is too often forgotten is ensuring your crisis process and communication plans are robust enough for a cloud security issue. Even with the best planning, the best tools and the best team, you need to realistically acknowledge that a security issue could occur. Your task is to ensure that everything is in place to not only learn about the breach quickly and resolve it quickly, but to also alert all impacted stakeholders with clear, actionable information. Delays or mis-steps in communication about a security breach can be as detrimental to the business as the breach itself.
Once you have migrated to the cloud, maintaining security requires relentless vigilance. All of the steps outlined above need to be repeated and refreshed on a regular basis– proactively. Complacency is the enemy of security. Keep analyzing the threat profile, revisit your plan, update your policies and procedures, maintain your crisis plan, and monitor and audit your cloud provider regularly. Keeping all of this fresh also keeps your team alert and engaged.
You need to move to the cloud. And you need to be secure. Taking a disciplined, rigorous and relentless approach is critical.