By Todd Margules, Senior Director Application Development & Modernization
As federal agencies move to the cloud, not only do they relinquish part of the IT stack to third parties, but they introduce complexity in systems that did not exist in on-premise hosting environments. In these new hosted solutions, the old way of securing systems is simply inadequate.
Despite this, cloud adoption is increasing, and for good reason. Cloud computing offers a long list of benefits, such as:
- collaboration across different locations
- reduced IT cost
- the ability to scale up or down quickly
- business continuity
- automatic updates to your technology
However, cloud storage presents risks. Consider this: Verizon, Accenture, Booz Allen Hamilton, Marriott, and most notably, Facebook, have all suffered major cloud breaches in the last few years. The primary culprit behind these hacks? It wasn’t insider threats or phishing scams, but rather misconfigurations.
While fundamental best security practices may still apply – including least privilege, patching, real-time monitoring, regular audits, and so forth – the cloud introduces new security requirements that, if not heeded, can land you on the list of high-profile cloud hacks like the ones noted above.
Every technology implementation has strengths and weaknesses. One trick to gain the benefit and reduce risk is to make sure that your mindset matches the technology. A good beginning point for the right mindset is to acknowledge one basic axiom: Cloud computing is complicated. But with a multi-pronged approach, it can be secure and reliable.
Five Steps to Minimize Cloud Computing Risks
There are a lot of moving parts to the cloud and, if used to their fullest potential, cloud systems constantly change. Under these conditions, the old Build-Test-Deploy paradigm of continuous integration cannot reliably be secured through manual means in cloud environments. What’s more, microservices can create fuzzy lines between security boundaries where threat vectors can easily be overlooked.
So, what is the thinking that should match cloud technologies? Looking over the cloud landscape, agencies should consider a few key points. Here is a basic summary of these consideration, with some helpful links with further information:
1. Security and Data Access
Organizations need to implement new controls that automate compliance to safeguard their cloud systems. Protection of data should include end-to-end secure content management, encryption, network engineering and management, authentication, and intrusion detection.
2. Policy-as-Code Integrated into DevOps
Policy-as-code is still emerging and is recognized as critical to creating a high-performing secure DevOps process, which is an integral aspect of cloud development and deployment. In the future, it should be part of a larger ecosystem that organizations develop around their cloud computing practice.
3. Tracking User Actions and Misconfigurations
While cloud and enterprise systems should be designed around the user experience, security should be layered at every step. Logging services track changes made by users across cloud environments. Cloud Access Security Brokers (CASB) can monitor and enforce policies to protect data from misconfiguration through human error.
4. Real-Time Monitoring of Traffic and Network Flows
The saying goes like this: “You can’t secure what you can’t see.” Increasingly, real-time visibility of data is necessary for optimal cloud and enterprise solutions. Data points range from operations, projects, and risk status to performance metrics, schedules, and milestones.
5. Continual Auditing to Improve Efficiency and Security
Robotic Process Automation is a technology tool that interacts with systems and applications to improve security, employee productivity, customer service, and efficiency across your enterprise infrastructures. RPA is a powerful, scalable, and secure solution that can help ensure systems are thoroughly risk reviewed for cloud-readiness.