In times of remote working, CISOs need to be able to confidently roll out their cloud strategy without concerns of cloud specific security risks and vulnerabilities
About two years ago, CISOs were saying they were bringing back on-premises some components that they initially had started to migrate to the cloud as part of their digital transformation journey. Were these voices going to turn into a trend? In fact, a Fortinet commissioned survey by an independent company showed that 72% of respondents had actually migrated one component back home, ranging from data to applications and processes. What this interesting figure did not mean, though, was that their cloud journey had stopped.
Cloud is still the biggest IT trend we have ever witnessed, and continues to be a bright spot in 2020, according to Gartner. The story is more about a relentless back and forth process, wherein corporations are seeing the cloud as a full-size, no CAPEX laboratory of innovation—a place where they can test and measure the take-off rate of new services, and then repatriate – or not based on whatever the performance dictates. However, one essential caveat in this back-and-forth is that the outcome cannot trade security for flexibility. The moment you need to manually reissue, redeploy, and retest one element of your security policy, you lose the benefits of this freedom.
Recent events have truly been “ready or not, here we come” when it comes to dealing with the sheer scale of users accessing digital workloads and storefronts from the cloud. For many companies, this was one of the only ways to interact with their customers, so business sustainability hinged on availability and increasing the appeal of their offerings to pull more traffic from someone else. This need to attract customers in a time of great need may have relaxed the rules a bit when it came to security in order to decrease friction of transactions.
But this magnitude of the remote working wave took even the most foresighted of CISOs by surprise. The fact is remote working infrastructures and policies were never designed to face the entire planet working from home. But surprise turned into action in a few weeks. With so many users now accessing cloud resources from home, outside of the well-protected office connections, visibility into what is happening to workloads in the cloud, who is accessing them, and automated analysis of cloud activity became more important than ever.
There are three primary challenges that we hear most often from CISOs as it relates to cloud security strategy. COVID-19 notwithstanding, CISOs have pretty well understood that gaining agility and revenue was top of mind for businesses looking to create or expand their digital footprint to better reach the customer. This meant that they had to be prepared to move quickly when it came to properly assessing risk and implementing a complete cloud security strategy. This takes time and, as we all know, the business always wants to move faster.
CISOs who were methodically planning their cloud security strategies suddenly didn’t have the luxury of time in their “to cloud or not to cloud” deliberations. This is challenge number one – lack of time for planning.
With input, but not necessarily a choice of cloud providers, challenge number two is highlighted by the lack of resources and training. With the prevalence towards multi-cloud, security teams needed experts in multiple different cloud architectures, tools and integrations which can quickly become a complex burden on teams that are already stretched thin.
This segues into challenge three: “Who do I just give my keys to?” To speed up cloud migration and augment strapped security teams, businesses are turning to third-parties for help and guidance, especially due to COVID-19. It is more important than ever to thoroughly vet and regularly evaluate these partnerships to ensure their security standards meet or exceed that of the business. Opening the environment to integrations from multiple third-parties may solve temporary challenges, and may even become part of the long-term business strategy. However, care must be taken to avoid a “can’t see the forest for the trees” moment. Partner agreements and security policies cannot be a snapshot in time; they must evolve along with the company.
A full cloud audit in an organization found that over 30% of the cloud workloads tied to the company were either severely underutilized, grossly misconfigured, or—and this is the scariest part—previously unknown. Their mind immediately went to “can you imagine the cost savings if we right-sized these environments?” While a completely valid point, and one most likely on the mind of businesses today, but “how positive an impact cleaning this up will have on the company’s security posture?”
This is called “cloud sprawl” and it is becoming more and more common as cloud computing becomes ubiquitous—similar to the virtual compute and traditional server architectures before it. Anyone can spin up new cloud resources that allow for fast and flexible business operations, but they also open the door for threat actors.
In times of remote working, CISOs need to be able to confidently roll out their cloud strategy without concerns of cloud specific security risks and vulnerabilities. It’s critical that security solutions protect any cloud environment from multiple threat vectors and the entire range of exploits, both old and new.
The goal is to ensure that any cloud environment and any application receives the same security, anywhere they are deployed or used without hindering agility and scalability. No matter how fast or far an organization’s cloud footprint expands, a unified management ensures that security, visibility and control are always available.
The author is Regional Vice President - India & SAARC, Fortinet