A growing number of enterprises, irrespective of their size, are adopting cloud-first strategies to reap the benefits of scalability, flexibility, as well as ease and speed of provisioning. As per Gartner, the global public cloud services market in 2019 is approximately $214.3 billion, up by 17.5% as compared to 2018. Cloud investments, which include cloud consulting, implementation, migration, and managed services, are among the top 3 investments for more than 30% of organizations.
Some of the most recent cloud security breaches have highlighted how inadequate security measures, when utilizing the Cloud, can bring disastrous results. As an example, Verizon’s data was breached when one of their vendor mis-configured an AWS S3 bucket that contained a caller data file repository. Uber serves as another example when the data of 50 million riders and 7 million drivers was stolen, resulting in major financial and brand reputation damages. These breaches serve as a hard reminder of how critical security is for any organization utilizing cloud as part of its tech stack. In fact, Gartner also predicts that 99% of cloud security failures through 2025 will be due to the fault of the customer.
Considering the above, cloud security should be one of the highest priorities for enterprises when utilizing the cloud. Even if cloud adoption is driven top-down, security in many cases doesn’t get the due importance unless a breach occurs. Some enterprises depend upon their Cloud Services Providers (CSPs) to ensure security, but that may not be enough.
Although DevOps and DevSecOps are widely adopted, cloud implementations may not always be analyzed for security. Typically, there are individuals or teams who own the end to end automation, provisioning, deployment and monitoring, but in many cases, a security team isn’t formed until the project is almost complete.
Start with the Basics
In cloud environments, it is essential to start with a security-first mindset. In the case of enterprises utilizing a wide array of enterprise applications, security is usually focused on specific business objects, development cycles or customizations rather than a holistic approach to ensure security controls across all applications. An environment procured from a CSP may not be fully isolated, and you as a client would be billed even when resources are consumed due to non-legitimate traffic like DDoS, Heartbleed, or any other attacks, resulting in additional costs or losses.
As seen in the graphic below, security requirements will depend highly upon the services being utilized. Therefore organizations need to be equally aware of and competent to address their specific security needs.
(Image credit – Cloud Security Alliance)
In many cases, cloud customers assume that CSP native controls are enough to address cloud security. It is always advisable to also partner with an experienced cloud security consultant to help implement a Minimum Security Program (MSP) to ensure you have your bases covered. An MSP partner will help ensure there are security controls across layers and lifecycles (i.e., DevOps, SDLC), making it easier to achieve security compliance and establish minimum security baselines (MSB).
Enterprises need to be proactive in addressing at least the minimum security baselines for their environments rather than taking reactive measures after a breach occurs. Breaches with far reaching effects can happen due to the smallest of errors like opening inbound or outbound communication ports for services including remote desktop and secure shell connections. This is where stricter security controls mentioned in the initial section should be properly implemented to avoid any unintentional security loopholes.
Another key cloud security aspect that applies primarily to enterprises in niche or client data-centric verticals is a need to provide security assurance to their own clients / prospects. Clients may require cloud security levels to be compliant with certifications like PCI DSS, ISO 27001 and more. Filling security gaps to meet compliance needs can be a long and exhaustive exercise, especially if internal security teams are absent or don’t have end to end security implementation experience. To avoid such situations, enterprises need to realize the importance of security early in their cloud adoption cycle so it can be weaved tightly into the evaluation, implementation, migration, and maintenance phases of their cloud initiative and ensure they have the right staff to monitor and manage security measures.
Recommendations for the Minimum Security Program:
Here are a few security recommendations for enterprises adopting cloud:
- Start with a MSP assessment to identify security gaps across your infrastructure by engaging an experienced Qualified Security Advisor (QSA). During this assessment, the core focus should be on closing security gaps.
- Define Security policies leveraging any assessment recommendations.
- Identify basic security compliance controls to secure the infrastructure or to gain a specific certification, e.g., PCI DSS and ISO 27001.
- Enforce MSB’s from initial on-premise to cloud migration phases, if you are migrating applications to cloud.
- Define Cloud Governance policies.
- Create a Cloud Assessment Framework to build a consistent evaluation model for cloudified environments.
- Identify the existing tool stack and address security gaps through static code analysis, enforcing security validation in the pre-commit stage, etc.
- Identify critical security controls and address by priority, resolve all reds first, then yellows.
- Ensure a semi-annual audit is conducted.
- When incorporating new applications or services into the mix, plan for MSB reviews during the initial stages.
Benefits of Minimum Security Program
The MSP will provide enterprises with immediate and tangible benefits like:
- Clarity on current security status
- Visibility into major security loopholes to be addressed by priority
- Clear visibility on gaps due to the layered approach
- Identification of appropriate tool stack to address security requirements
- Initiation of security controls in the early stage of development
- Ensures compliance readiness
- Establishes appropriate security policies and governance model
- Defines periodic action items to ensure ongoing basic security compliance
A MSP may appear to be difficult to implement at first, but will be highly beneficial in the long run to avoid cloud security loopholes.
Evaluating a Qualified Security Advisor (QSA):
When evaluating a Qualified Security Advisor (QSA), here some of the key criteria to look for:
- Experience in Integration Platform as a Service (IPaaS) for Enterprise Integration
- Experience with providers like AWS, Azure, Google Cloud Platform (GCP) and more
- Proven expertise in minimum security baseline assessments that provide cloud security compliance
- Experience in an enterprise cloud enablement life cycle, secure SDLC and DevOps
- Availability of cloud consultants through all project phases
- Proven and effective estimation process for Cloud Migration via a Cloud Migration Point methodology
- Ability to understand client’s business and recommend best aligned and most cost effective security tools and technologies
Conclusion
As discussed above, cloud security must be part of an overall cloud migration or adoption strategy, rather than as an afterthought.
If you are looking to get started on your own cloud security initiative or need an assessment, Emtec can help you become cloud security compliant, leveraging our rich expertise in both the cloud and cyber security domains.
Contact us to get started.
References:
https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-forecasts-worldwide-public-cloud-revenue-to-g
https://www.cpomagazine.com/cyber-security/lessons-from-the-uber-breach-settlement/
https://securityboulevard.com/2019/06/whos-responsible-for-a-cloud-breach-it-depends/
https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
https://blog.cloudsecurityalliance.org/2019/09/05/how-to-share-the-security-responsibility-between-the-csp-and-customer/