As part of our Cybersecurity Webinar Series last month, we presented a webinar on enhancing security strategy for cloud-based technology. Here is a summary of the topic discussed. For the full discussion, including questions from the live audience, click on this link to listen to the archived version of the webinar.
State of the Industry
Digital innovation is a double-edged sword: while it creates opportunity for business transformation, it also exposes organizations to greater cyber risk.
Protiviti participated recently in a joint research study in which 1,300 organizations were asked what trends are impacting how they think about their security programs. More than half responded that new technologies like artificial intelligence, the internet of things and blockchain would have the most impact on their programs. More than half also said that open platforms (including cloud-based systems) would impact security strategy the most. It’s significant to notice that the new technologies of interest to these participants typically run on cloud-based platforms.
The results underscore this message about cybersecurity: While no one wants to miss out on the benefits delivered by new technologies and open platforms, keeping pace with the security challenges they entail is crucial.
Strategies for Addressing Cloud Risk
Organizations have four traditional options when it comes to risk. They can 1) avoid risk by choosing to not engage in a particularly risky practice; 2) reduce risk by implementing controls and response plans to reduce the likelihood of risk events occurring and/or the severity of their impact should they occur; 3) transfer risk to third parties; or 4) accept risk.
Cloud-based technologies follow this traditional set of options through the shared responsibility model. In this model, the cloud service provider is responsible for the physical infrastructure and network, while for most services the clients secure and protect their own systems that operate on top of the provided platform. Note that training existing company resources in the new skills required to support this model is less expensive than hiring new staff who possess prior experience with the cloud.
Frameworks, Benchmarks and Tools
There are a number of frameworks and benchmarks available that enable organizations to adopt cloud solutions effectively and securely. Organizations should identify the frameworks and benchmarks appropriate for their specific cloud platforms and use them to incorporate established leading practices.
- The Cloud Security Alliance is an excellent resource for frameworks. The CSA’s Cloud Security Guidance and Cloud Control Matrix are useful tools for guiding your internal cloud security program and evaluating vendors operating in the cloud, respectively.
- The AWS Well-Architected Framework is another tool that goes beyond security and performance, but also focuses on reliability and system availability.
- The Security Best Practices for Azure Solutions white paper incorporates the experience of Microsoft and their clients in securing Azure environments.
- The Best Practices for Enterprise Organizations is a similar collection of practices to secure a Google Cloud platform environment.
- The Center for Internet Security offers benchmarks to provide guidance for configuring some security options for cloud services, giving emphasis to foundational, testable and architecture-agnostic settings.
In addition to these frameworks, other tools include enterprise and open source solutions to address vulnerability management, log collection, monitoring, and other operational tasks associated with a robust security program. Organizations should implement the technologies available to enable a real-time understanding of the health and security of their cloud environments in a manner commensurate with their individual program objectives and risk appetite.
The Importance of Architectural Decisions
The importance of architectural decisions, as they relate to cloud implementations, is sometimes underrated. These decisions should be thoughtfully considered to ensure they address enterprise risk. Architecture teams should work with security teams to evaluate cloud services under consideration and to capture service-specific control requirements.
The following are leading practices when designing cloud architectures:
- Develop a reference architecture library that templatizes solutions and provides a shared vocabulary to facilitate implementation and effective reuse of known good-design patterns.
- Consider the organization’s regulatory obligations in order to choose services that enable compliance.
- The architecture and security teams should collaborate to understand each in-use service in depth. The reference architecture library will be instrumental for capturing the benefit of this exercise.
Security features built into architectural decisions can be expensive. For instance, organizations sometimes start by using on-premise hosts for logs and similar data, thus incurring transfer fees as data shifts from the cloud to local hosts. The cost impacts of any security decision related to the architecture must be considered from both cost-of-implementation and cost-of-operation standpoints.
Compliance as Code
In many cases, compliance can be made automatic by embedding security checks in code. Where once development teams would deliver completed code to security teams for review, compliance as code renders that sequential approach unnecessary. Security rule enforcement can be automated, so developers can run their code through the checks iteratively to achieve near-real-time detection of any security issue while the code is still under development. Further, automated security and compliance checks can be set to routinely scan an environment or be triggered by change in the monitored services. This code can perform the checks necessary to demonstrate continued compliance with the desired controls. For certain situations, the automation can extend beyond the detection of issues, and automate the remediation as well.
Organizations considering cloud-based and other new technologies should assess and prioritize cloud security risks and use relevant references like frameworks to align future-state security design with available leading practices. Businesses should look into acquiring tools to monitor the health and security of their cloud environments. Security rule enforcement should be automated wherever possible.
Certainly, organizations should take advantage of the opportunities that new technologies and cloud platforms represent. Incorporating the security strategies discussed here will ensure the attendant risks are well-mitigated.
Matthew Farrar with Protiviti’s Security and Privacy practice contributed to this content.