Guardrails within the IT infrastructure
With security central to the vendor selection and responsibility model creation, the security team now has a strong vantage point to embed security into the cloud migration process by setting up base guardrails and minimum configurations to protect deployment before migration activities begin. For example, workload protection and secure landing zones can create a standard configuration template that is scalable and sustainable for rapid deployment of future applications without the need for reengineering. Given the cloud methodology is meant for Agile and DevOps, an organization without secure DevOps could be undertaking a significant amount of risk, and it could be an additional component to managing development during the migration process.
Manage DevSecOps processes with the desired mix in place
DevSecOps enables organizations to embed security into their workflow rather than as a bolt-on to development.16 This allows developers and security professionals to have the shared goals of secure configurations continuously monitored, remediated, and managed for cybersecurity that drives creation of agile, resilient solutions. One insurance company, for example, migrated hundreds of applications to the cloud. DevSecOps enabled the cloud engineering team to better plan the architecture of the environment and build the cloud infrastructure to enable a secure migration. These processes can be further complemented by security automation and orchestration tools to implement structured workflows, automate security tasks, and prevent and detect threats.
- Skills/talent. Legacy technologies use virtual appliances such as those from firewall vendors to secure systems, whereas cloud technologies require understanding of security configurations. The shift requires a new talent operating model that moves work away from a develop, implement, and deploy framework, followed by security. Shift-left means security is involved upfront to provide baselines and configurations and set up architecture before go-live, reducing the need to be involved afterward. This leads to a very different talent operating and integration model.
- Microservices. As organizations look to modernize legacy applications to create more agile point-to-point services, cloud microservices operating models should consider vendor limitations and vendor portability/interoperability issues. Organizations can consider an agnostic middleware layer or microservices deployment model that helps the client resolve issues such as multi-cloud, as well as issues across enterprise systems.
The cloud security controls framework
Across the C-level, the move from on-premise to cloud typically requires a security mindset shift—from managing physical infrastructure to monitoring access across a “stateless distributed environment.” Importantly, the controls framework should address network, platform, and infrastructure; user and data security; and core application security.
Network, platform, and infrastructure
“Security by design” enables cloud developers and security teams to build guardrails into the infrastructure itself, establishing agile and secure processes. Therefore, before developers gain access to the cloud environment, the CIO and team should consider the leading approach to secure the network. It might be to embed guardrails into the cloud platform itself with “security by design” IT infrastructure, or to put in place restrictive “security by design” IT processes (e.g., authorized users responsible for reviewing infrastructure and source code before pushing to production). Industry-leading practices are moving away from perimeter-based security toward zero-trust network security architectures,17 which enable more modular developer environments, as well as micro segmentation to allow for varying levels of infrastructure access and controls across the network, identity access, and applications.
As an example of the infrastructure approach, one asset management organization moved from private to public cloud and embedded hundreds of controls into the cloud platform at the code level before giving developers administrative access. These controls served as guardrails, resulting in the successful creation of a safe and compliant development environment.18
Alternatively, taking the process approach, another financial services organization removed or highly restricted developer keys to shift access and processes for code deployment. This prompted a major cultural shift for developers who previously had been able to push application changes live more autonomously; the privilege was now restricted to a small group. To reinforce the new protocol, the organization monitored for behaviors that deviated from the new controls process; in particular, one common scenario of developers now unauthorized to push live updates using a virtual machine to bypass the privilege-access management tooling, thereby potentially creating an exposed port. To address this risk, the organization implemented a security orchestration automation and response solution, enabling the company to collect security operations data; built a business case to detect security configuration changes; and orchestrated a custom workflow resolution for reviewing them. This gave the firm required visibility for proactive network monitoring and the ability to close open ports.
User and data security
Cloud migration often requires a new approach to identity. While previously physical credentials (e.g., building access) were acceptable authorization, in a distributed system that can be accessed anywhere, user-level access credentials and key management may be required. Identity access management protocols can be fed into a modularized identity platform with user-level access requirements.19 A focus on data protection, privacy, resilience, and regulations can guide data access rights and user privileges. Executives should plan on balancing legal minimum requirements for encryption against too much encryption, which may slow down applications.20
Core application security
Before moving data or workloads to the cloud, the cloud and cyber teams should determine that the following minimum controls are in place:
- Workload protection–set base guardrails and minimum configurations to protect deployment. For instance, an organization may have preset templates for function-based or container-based applications.
- Secure landing zone–establish a secure environment covering account structures, security rules, and other foundational services, based on the operating model. For example, many organizations establish a public subnet and a private subnet as a public-facing landing zone versus a private virtual network for corporate users.
- Secure by design/DevSecOps–follow security by design and DevSecOps principles as discussed with the operating model recommendations.
- Segmentation and zero trust–employ network segmentation and zero-trust protocols. For example, the organization can restrict full administrative access to the application to only the senior-most developers with stricter security credentials and training, using containers for tiered access segmentation.
- Attack surface management– manage the vulnerability landscape with tailored services to enhance vulnerability and attack surface programs. Organizations can focus on identifying and assessing cloud assets through their life cycle and across different architecture layers. As an example, smart factories can think through data flows across cloud and edge tiers to determine security is in place across the ecosystem.
Risk management considerations for the cloud cyber program
Cloud migration can reduce certain infrastructure security risks managed on-premise, with encryption, logging, private networking, monitoring, DDoS protection, automated patches, and other elements built into the cloud environment. However, many migrated systems and applications were not designed to operate online. To avoid disappointment on this front, before the cloud migration begins, organizations can conduct a cyber risk maturity assessment21 to understand specific technology, regulatory, and insider and supply chain risks as well as recommended remediations.22
While some of these may be new territory for a cloud migration team, organizations face a number of potential technology risks to mitigate as part of their cloud cyber programs where an integrated cloud cyber team can help create a more secure, agile, and trustworthy outcome (figure 1).