Public Cloud Transformation: Keys to Data Security
Although it is early in the investigations into the recent Capital One® breach, one can certainly draw some preliminary conclusions. Primary among these is the need for continuous attention to details when moving workloads to public cloud environments.
The transition to public clouds such as Microsoft® Azure, Amazon® Web Services (AWS), Google® Cloud, or Oracle® Cloud is easier than ever. Understandably, public cloud has become an accelerator of businesses world-wide, and a likely keystone to Capital One’s objective to leading the industry as a technology-centric financial institution. Shifting workloads to public cloud, while easy, requires transformational strategy and activities fully integrated with a company’s security strategy – lest companies miss important, yet basic, details required to secure data.
Building a Cloud Transformation Strategy
Building a strategy and completing cloud transformation requires significant partnership across the enterprise which includes: IT Operations, Security, Applications/Development, and Business Operations. Due to data breach consequences, enterprises cannot afford to accept skill gaps or lack of due-diligence in any of these areas. If a deficiency is identified in any key area, engaging a trusted partner with skills in integrated cloud transformation is key to executing a successful cloud transformation roadmap.
A cloud transformation strategy begins with detailed data analysis including sensitive data held by the entity or its associates, where it is stored today, and where it will be stored for business enablement in the future. While this is a very business-informed analysis, it is the foundation of any information security program and any public cloud transformation.
Second, identify the steps required to harden your cloud deployment to meet existing (or improved) security standards. This hardening often doesn’t take place prior to moving data and workloads to public clouds and is one of the easiest, yet highest risk mistakes an enterprise can make. Re-using hardening standards developed for traditional deployments often doesn’t include the new security features as well as, standard features that are configured or controlled at the application layer.
Once hardening is in place, monitoring hardening is critical. This can be achieved through a healthy DevOps program that incorporates security into the release management process. For more persistent workloads, strong change and configuration management reviews are critical to making public cloud assets far less attractive to potential attackers and should include the entire state of the environment, not just application or system vulnerabilities.
Last, and most importantly, an access management strategy that incorporates secure cloud technologies and sunsets legacy vulnerable access methods is mandatory. Multi-factor authentication is highly recommended by Secure-24. Privileged access should be centrally managed, typically via a Privileged Access Management (PAM) tool and Global Admins to the cloud environment should be vigorously restricted. An Identity and Access Management tool should be used to ensure that access in only provided to those who need it for their job and reviewed regularly.
Security Check Points
With an enormous amount of data combined with required protections, how does a CISO ensure that every detail is handled correctly? As we have seen, even the largest companies have been breached, the root of which can be tracked back to negligence or lack of understanding on the impact of employee actions or inaction, however well intentioned. There are several ways to add additional check points to overcome this.
- Managed Services Provider (MSP). Consider using a managed services provider who has significant experience transforming workloads to run in public, hybrid and multi-cloud Select an MSP who has the experience, provides a detailed SOC2 audit by a well-known auditor, and preferably has knowledge in your industry. Check their references with like companies. An MSP can be instrumental in identifying what and where your sensitive data lies and use industry standards to protect it with server hardening, encryption, MFA, high availability, etc.
- Managed Security Services Provider (MSSP). Consider engaging an MSSP to augment your information security staff. Make sure that they can have a good working relationship with any managed IT services provider you partner with, so that necessary changes can be made quickly. Using an MSSP gives you another set of eyes besides your own staff to run audits and go over the results. Do not forget to have them do the necessary due diligence for data in the cloud, even those run by reputable companies. Just because the data is partially protected by the cloud provider does not mean it is exempt from the same protections and auditing enforced in more traditional settings.
- Engage a Third-party. Engage a third party to conduct extensive penetration testing at least quarterly, and more often depending on the impact that could occur should your sensitive data be exposed. Again, ensure that the results for critical and high findings are implemented quickly. Also, engage a third party to search for any data that is not in a location you expect. Entities are often surprised to find that any employee or contractor has uploaded sensitive data to an Internet site without authorization to do so.
- Security is Top Priority. Finally, make information security and privacy a top priority and part of your company culture by embedding security into the business. If done well, employees will ensure that any data they control is secured, network and server administrators will ensure configurations and hardening are done promptly, and employees will act as extended eyes for the CISO to find and report anomalous behavior or possible vulnerabilities.
In conclusion, although the task of verifying every detail seems an insurmountable task, prioritizing your cloud transformation process based on data sensitivity, using expert service providers, regular testing and audits, and empowering an engaged and security conscious workforce tor report issues will go a long way to achieving your goal. For more information about Secure-24 Managed Public Cloud and Security, view our Managed Security Services video.
John Brady is the CISO at Secure-24.