The cloud. A new destination filled with the potential to transform how you do business and manage infrastructure. But also an emerging technology that brings different risks to information security as well as the involvement and influence of third-party providers. Businesses are demanding increased levels of security and compliance when migrating their IT to the cloud. Despite widespread adoption of cloud service, the perception that it carries risk remains high among security professionals, with one of the most significant barriers to cloud implementation being the increased compliance and regulatory challenges that organisations face when choosing to move to cloud services or hosted solutions.
1. Migrating Systems Safely To The Cloud
It’s likely that decisions around which systems or applications will move to the cloud will be informed firstly by compatibility and then by cost. Any systems you’ve already virtualised will be in your sights first as they present the most flexible parts of your architecture. But you’ll also need to way up the nature of any data that could be stored or accessed by these systems once in the cloud. This is also where you’ll potentially face compliance requirements that would make migration more complex. The type of cloud deployment you choose will also impact directly on who is responsible for data. As illustrated here, as the more of your system is devolved to a cloud provider the greater responsibility they take for its security.
2. Who Is Accessing Your Hosted Systems & Data?
If you plan to work with a cloud provider to supply the infrastructure you need to recognise that there is the potential for more individuals to be accessing your systems and data. If you’re investing in a completely managed service make sure there’s way for you to see who’s accessing your service and what actions they’re taking. If you’re using the cloud for IaaS or PaaS then strongly consider investing in a way to control access for administration, not just for your cloud provider, but also for your own teams.
Putting systems in the cloud could be your opportunity to begin to properly manage access for privileged users. Why not create an environment where only those who NEED access to systems get it when they need it? Where no local passwords are known or need to be changed? The better control and visibility you have of when resources are accessed, upgraded or altered, the more secure these systems will be. Ask your cloud provider what steps they take to ensure access management is effective not only for their admins but yours too.
3. Always Monitor & Record Activity
The ability to record and audit activity on cloud systems is important from two standpoints. Firstly, to ensure compliance and give you an audit trail in the event of a breach, but also to give you the kind of visibility you need to see how effective your cloud provider is. Identifying activity taken on a server before a problem arising, ensuring that service providers meet agreed SLAs and defined patching regimes or that work you expect to be undertaken has been successfully completed will undoubtedly give you peace of mind, especially if you can watch these activities in real time and even take action if you need to.
This is all valuable intelligence, but keep in mind the potential impact in performance especially if session recording requires agents to be installed on target systems. You’ll also want to be sure that it’s possible to record on as many operating systems as possible (including devices with command line interfaces). Even taking into account these considerations, session recording capability will help to give you the visibility and therefore the confidence to invest time and resources in your migration to the cloud.
Ultimately, cloud security is a shared responsibility between the cloud service provider and the client. And understanding how that division of responsibility for security works will be key before beginning any migration. For example, knowing which security technologies you will be directly responsible for and whether these technologies can be services you consume from the cloud or solutions you bring to the cloud.