How should cybersecurity leadership be adjusting and reacting as cloud strategies and systems expand within their organizations?

When moving to the cloud, the question for CISOs becomes: How do we make sure that our cloud is at least as secure, if not more secure, than the legacy on-premises environment from which we’re moving? It’s an essential question to answer. After all, data from the SANS 2020 IT Cybersecurity Spending Survey shows the biggest factor that is causing existing security architectures to break, and thus causing much of the new security spending, is the rapid movement of business apps and services to cloud-based technologies.

That’s because a move to the cloud is about much more than just migrating workloads to servers hosted by a third party; the cloud represents a new way of doing business, new technologies supporting the business, new rules around ownership and responsibility, and new cybersecurity considerations to take into account.

For CISOs, the path forward into the cloud must be predated by strategy. As you’re devising your cloud security plan, here are five things to keep in mind.

1. Understand Your Business Drivers

Step one for CISOs is figuring out your cloud roadmap, which means you need to assess your organization’s risk appetite and business drivers. There are many different ways to adopt the cloud—you can go with a single cloud provider, multi-cloud or a hybrid cloud architecture; you can dip your toes in by moving one workload to the cloud, take a phased approach or go whole hog into the cloud. From a leadership perspective, it’s really about understanding your business drivers and what critical security controls need to be in place to support these goals. Once you’re able to identify your reasons for moving to the cloud, you’ll be better able to lay out your objectives and road map to accomplish what you need to in year one, two, etc.

2. Build a Deep Technical Bench

With the move to cloud, cybersecurity needs to be prepared to evolve. It’s gotten to the point, in terms of industry momentum, where every cybersecurity professional has to be knowledgeable about the cloud to varying degrees. As a CISO, you need to make sure that your security team is staffed with people who know about the features of the various clouds you are deploying, what those services are used for and the configuration settings for that particular cloud. With the current shortage of skilled workers, many CISOs are getting creative and investing in cloud-focused cybersecurity training to reskill current staff.

3. Enable Automation

One of the big concepts of the cloud is that it makes automation substantially easier compared to the pre-cloud environment where people had to set up their own duplicative infrastructures to spin things up. You’re not taking full advantage of all the cloud benefits if you’re not implementing automation and DevOps, too.

4. Focus on Applications

The move to the cloud has abstracted the servers and hardware away, changing the rules of the game when it comes to ownership. Most all cloud providers operate on a shared responsibility model, where the provider is responsible for certain layers, but the customer is responsible for data and applications. In order to keep all your organization’s information secured, prepare your team to focus more on understanding the application layer, where their responsibilities likely lie. The issue of shared responsibility had a spotlight shined on it last year with the highly publicized Capital One data breach that brought into question whether AWS or Capital One was at fault.

5. Enhance Visibility with Logging and Monitoring

In the wake of that Capital One data breach, AWS enhanced some of its services that had played a part in this breach occurring. It also added some tagging functionality that identifies which version of the service is being used. That extra data gives companies more insight into the things that could be going wrong. Visibility—one of the top cloud concerns expressed by respondents to the SANS 2019 Cloud Security Survey—is key in the cloud. This ties back to the need to build a deep team with technical knowledge base. Yes, your team needs to know what attacker behavior and common attacks look like, but they also need to know what features are available within the cloud services that would ultimately help you detect malicious and anomalous behavior. 

Contributors: