The Need to Update

Genady Vishnevetsky, Chief Information Security Officer,Stewart Title

Genady Vishnevetsky, Chief Information Security Officer,Stewart Title

In the last decade, the cloud has dramatically changed our perception of Information Technology. Our transformation to the cloud compelled Service Providers to deliver new services, from Infrastructure as a Service (IaaS) to Code as a Service (CaaS) and everything in between. This movement is going at lightning speed, but many IT disciplines are falling behind.

Many enterprises are accustomed to the segregation of duties and strict change control in the traditional data center world. When a new application is developed, different IT towers build and provide infrastructure before anything goes live. Just as a good reciperequires multipleingredients, on-premise deployment often involves, at minimum, servers, network, identity teams, and database admins working in harmony and following the change control process. The development process is more controlled and defined.

Cloud changed everything. In most cases, traditional networking devices are replaced by Software Defined Networks (SDN). The networks become flat, and the entire infrastructure is managed through a single GUI. In some cloud models, the developer is an infrastructure, network, storage, and identity engineer. And thus can conceivably fully deploy the working application into the cloud by himself. Configuration, management, and monitoring tools are partitioned in the traditional datacenter-centric model, whereas add-ons from the cloud provider are hosted within the same environment as everything else. Cloud-native DevOps are frequently used to source and deploy the code.

It reminds me of the evolution of the Windows operating system. An early desktop and server operating systems came open by default and required the user/administrator to configure the appropriate security features. All modern versions come security-harden by default. One can safely build a secure environment out of the box in minutes. I believe the cloud is experiencing an early Windows journey. The ever-growing needs, ease of access, and use created opportunities for many developers and small companies to fill the gap. Our applications interconnect through endless API. It's so easy to lose visibility.

How do you begin the safe journey to the cloud?

First, apply the same principle we used for decades in the on-premise model to your cloud environment. Ensure that segregations of duties, strict access controls, and change management are fundamental building blocks of your deployment to the cloud process. Apply the same principles and technologies to thorough testing and monitoring. For example, cloud containers must go through the same stringency of security hardening, application code, and infrastructure testing for vulnerabilities and misconfiguration as their on-premise counterparts. Identity services and encryption management is even more critical in the cloud. Don't settle for out-of-the-box solutions and features available from your cloud provider. Many global settings are overly permissive until tuned down. Apply or extend the same technologies and processes you use on-premise to the cloud. For example, suppose you are building a regulated environment; ensure that you have complete control of your encryption key.

In some cases, your service provider may be subject to a subpoena and will be forced to give up the built-in key. Use the same rigor to build processes into your cloud as you use in your data center. Newer security solutions like Cloud Security Access Brokers (CASB) or Cloud Security Posture Management (CSPM) can be your lifesaver in the environment you no longer control. The same defense-in-depth principle must apply regardless of where your data is.

Weekly Brief

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee