Today, for any organization, migrating to the cloud is not just an option; it’s a de facto mandate. There are several considerations that an organization needs to take into account to ensure a smooth and secure migration to the cloud. And when the security budgets are limited, which security initiatives are prioritized can dictate the success or failure of an organization’s cloud migration journey. Specifically, the questions that a CISO needs to be able to answer are:
- Which strategic investments should be made in the initial phases vs. the latter phases?
- Should the people investments be internally focused, or should the organization seek external help?
- Which technical investments are going to yield the best ROI?
As I attended the inaugural AWS re:Inforce event in Boston this June, I got a better sense of how CISOs may be thinking about these initiatives. Let’s take a look at each of these in detail.
In speaking with the CISOs and security leaders at re:Inforce, I learnt that internal alignment on the cloud migration strategy is top of mind for them. Even though there may be a CEO directive for cloud migration, getting the entire executive team on board as well as educating the business unit leaders about how security in the cloud will be as good or better than the on-prem environment is seen as an essential step in ensuring a successful journey to the cloud. So, as a CISO, the most important strategic initiative to start with is to educate, align, and build confidence internally that you have developed a plan for a smooth and secure journey to the cloud.
Skills & Resource Initiatives
Most organizations have had on-prem IT infrastructure for the last few decades. There are few (if any) “born in the cloud” enterprises. In fact, we should expect that most enterprises will have hybrid IT infrastructure for the foreseeable future. So, it is no surprise that the IT and security staff is skilled in managing and securing on-prem infrastructure. How should the CISOs then approach the security skills gap in the cloud journey? In my discussions with the security leaders at re:Inforce, the sensible approach seemed to be two-fold. First is to do a cloud skills assessment of the current IT staff and determine how well-versed they are on cloud provider environments, architecture, operations, and development. Based on the result of this assessment, the second step is to figure out the level of external help needed to train the staff to own the ongoing security operations of the cloud-based infrastructure. The main takeaway is not to go at the cloud journey alone; temporarily leverage external resources and develop a long-term plan for in-house ownership.
Securing cloud infrastructure is a whole different ball game from securing its on-prem counterpart. Because in the cloud, the security perimeter neither exists nor is it within an organization’s control. Hence, the technology investments for securing the cloud infrastructure is less about buying perimeter infrastructure like firewalls and IPSs and more about complying with data protection standards, implementing a configuration and vulnerability management framework, and developing a business continuity plan when running applications in the cloud provider environment. Specifically, under the shared responsibility model of cloud security, CISOs must understand what the cloud provider is responsible for (and capable of) and what the CISO’s organization is responsible for in order to ensure comprehensive security.
Running a lean business is about focusing on core competencies and outsourcing non-core operations. Securing the cloud infrastructure is no different. In the same way that CIOs delegate to a SaaS application provider for hosting the application while maintaining in-house responsibility for the business aspects of the application, CISOs should be delegating the infrastructure responsibilities to the cloud provider while maintaining security policy responsibilities in-house. As an example, when an organization secures access to the Internet and cloud-based resources using Forcepoint’s converged security platform, it is purchasing security as a utility -- where Forcepoint provides a secure and resilient infrastructure while the organization maintains policy control over how its traffic is secured. This approach ensures a smooth and secure migration to the cloud in a cost-efficient manner.