Cloud migration is one of the hottest industry topics right now. Many organizations are rapidly making the transformation to the cloud, and industry professionals are rapidly working to hone their cloud skills. Within all cloud discussions, the underlying importance of security is ever present. Information security professionals are seizing this learning opportunity as well, and those who have been working in a cloud environment are enhancing their security skills.
Cloud security skills can be seen as very similar to the security skills for any on-premises data center, however, in many instances, organizations are learning that their familiar applications cannot simply be “forklifted” to the cloud. Not only do many legacy applications break when placed in a cloud infrastructure, but the entire security model is impacted as well. The need for a trained cloud security professional has never been more apparent. The knowledge acquired through the Certified Cloud Security Professional (CCSP) designation offered by ISC2 is the perfect preparation in order to ease the challenges of cloud security.
Even though cloud computing has been around for a while, many of the security aspects are still misunderstood. Those who work in the industry and hold the CCSP credential have provided some insights into these misunderstandings. Tara Hunter, who works as a Senior Cloud Security Engineer, expresses it by saying that “so often, I hear people state that something is not their problem since they are on a cloud providers’ platform. That’s simply not true, and the enterprise gets burned when they later find out they are always ultimately the responsible party for their data.” This is echoed in the academic community as well. Bryan R Lewis, an Assistant Dean, and Lecturer in IT shares the awareness that “moving to the cloud does not outsource your security requirements. All legal and compliance requirements and associated risks always remain with the data owner.”
One area where a security professional with cloud knowledge can help is during the earliest phases of cloud migration. The first step is to assess your current infrastructure and readiness. While this may seem obvious, many companies do not truly know what they presently have. A complete asset inventory, as well as a deep understanding of how all the systems interconnect is vital to a successful cloud migration. Carlos Lopez, a Security Correlation Engineer, sums it up by stating that “There are no shortcuts: Always start with an in-depth analysis of the application requirements, dependencies, and the relations with the underlying infrastructure.”
An important part of your inventory includes the data itself. Knowing what your data is, and where it resides is an important facet of any cloud migration. Group Information Security Manager, Au Yeung Shan Shan, explains it this way: “Classify and understand your data. Follow its lifecycle and protect it with appropriate security controls. Data has a very different risk profile once it is out of your “house” or controlled. Do not take that lightly.”
A successful cloud security program must also include preparation and continued maintenance towards preserving the new environment. Policy alone, however, is not enough to meet compliance requirements. Auditing, and legal controls, including eDiscovery requirements, all need to be assessed. Achieving actionable policy, proper audit controls, and legal considerations can only occur through collaboration. Consider the words of a business owner, such as Adele Farhadian, “If you are in a highly compliant environment, ask your auditors for very specific cloud requirements before you decide to move to the cloud. Don’t forget to ask them for scenarios where cloud may cause a compliance violation.”
Another perspective on this same idea is offered by Keith McMillan. “Understand that when moving to the cloud, enhanced flexibility comes with more exposure to attack, and also a need for different controls. As you consider moving existing systems to the cloud, you need to evaluate whether the new controls, combined with the new risks can be adequately addressed by the controls available to you in the new environment.”
It is clear that cloud computing has impacted multiple industries, and the security professionals working within those industries come from varied backgrounds, with differing approaches. While the varied professional titles show the broadness of the opportunities for working in the cloud landscape, one thing that is certain is that they are all aiming to achieve the same result; securing an enterprise that operates in the cloud. One element that stands out is that all of these professionals have studied the security materials in order to succeed. No one is born with cloud security knowledge. As a Managing Partner at KM Cybersecurity LLC, Keatron Evans makes this point clear with the following advice “Make sure you give your staff the appropriate amount of training and time to learn the technology. Some of the most disastrous cloud migrations I’ve seen were a result of not having the right staff involved in the migration.”
The wisdom offered by all of the professionals quoted above is merely a prelude to the responsibilities of securing the cloud. Other topics, such as the stages of planning, understanding dependencies, and the uniqueness of the cloud, are all separate subjects for study. The voices of these, and other cloud security professionals, are captured in a new eBook, which offers insights into some of the challenges of migrating to the cloud. The words spoken by the people working in the industry are formulas for success.
To learn more advice and insights on secure cloud migration, download the ISC2 eBook, 20 Tips for Secure Cloud Migration.
The post Cloud Security Is Best Achieved With The Right Preparation appeared first on Cybersecurity Insiders.
We had a busy week catching up with customers and partners at Microsoft Ignite in Chicago and online. We shared […]
At Snowflake, we’re committed to delivering consistent, automatic performance enhancements. We work behind the scenes to make your data operations […]
For years, companies have operated under the prevailing notion that AI is reserved only for the corporate giants — the […]