Whether you’ve migrated some or all your infrastructure to the cloud, orare still considering the move, you should be thinking about security. Too often, organizations assume a certain level of protection from a cloud service provider and don’t takesteps to ensure applications and data are just as safe as those housed in the data center.
The sheer range of cloud technology has generated an array of new security challenges. Fromreconciling security policies across hybrid environments to keeping a wary eye on cloud cotenants,there is no shortage of concerns. An increasingly complex attack landscape only complicates mattersand requires security systems that are vigilant and able to adapt. Here are nine tips to consider before,during, and after a cloud migration to stay ahead of the curve when evaluating security solutions for your cloud service.
Ø Plan for Hybrid Environments
Majority of organizations will have applications housed across hybrid environments, requiring CIOsto coordinate security policies across these environments. It might be tempting to rely on your cloudservice provider for security, but that could lead to risky inconsistencies. Identify security servicesthat overlay a number of different cloud-based apps and provide the same technology andpolicy management for on-premise applications.
Ø Start with low risk assets
As you begin migrating to the cloud, start with data and apps that are less sensitive or mission critical.CRMs, for example, might not be as sensitive to downtime or data loss. Until you’ve vettedthe reliability and security of a cloud service provider, avoid migrating high-risk assets.
Ø Maintain user confidentiality
If your cloud provider is defending against encrypted attacks, it might inadvertently compromiseuser confidentiality. After all, detecting encrypted attacks requires some level of decryption of bothlegitimate and malicious traffic. Check with your cloud provider to see what solutions it uses andwhether your sensitive information will stay private.
Ø Know what you have in the cloud
Your employees are almost certainly using cloud-based applications without the knowledge of ITteams, leaving a trail of vulnerabilities and data leakage. Unapproved cloud-based apps can leadto malware, posing a risk to the network. This problem has generated a new category in the securityspace: the cloud access security broker.
Ø Don’t become collateral damage
Understand the architecture and security offered by your cloud provider. Sharing computing resources/space can result in outages throughout the network, degraded performance, or denied access forusers in certain geographies. If you share space with the target of an attack, you could becomecollateral damage. Can your cloud provider separate attack traffic from clean traffic to preventattacks on cotenants of a cloud platform?
Ø Understand compliance implications
If encrypted sessions are being terminated in the cloud, make sure your provider’s platform or locationfit both internal and industry compliance standards. You may be required to upgrade or modifysecurity protocols to ensure the cloud service complies.
Ø Detect where you can, mitigate where you should
Monitoring for attacks at your own data center is relatively easy, but cloud adoption means criticalassets aren’t as “close” as they use to be. That distance can negatively impact timely detection. Placedetection capabilities in front of your cloud-based assets just as you would in your data center.It allows you to assess the attack and determine the appropriate response. For example, turning tocloud scrubbing if it’s a volumetric attack.
Ø Understand the security capabilities of your cloud vendors
As with any service category, cloud hosting providers have different strengths and weaknesses. Somedifferentiate based on price, others on speed, and others on security. Be sure to understand thesecurity capabilities of your provider.
Ø Separate security requirements from hosting requirements
Be careful to not let business units outside IT take ownership of security. Business units areunder a lot of pressure to leverage the cloud to speed time-to-market and reduce costs. Securitybecomes a secondary consideration. Most of these business teams don’t have the skills or knowledgeto assess security requirements