Making the secure digital transition to a public cloud platform

As organizations across different industries scale up their system to the public cloud, the need to protect data and applications is the primary concern of CISOs (chief information security officers). Post the pandemic, organizations have accelerated the need for digital transformation, which is required due to remote access to work infrastructure. In short, as more employees work from home on their laptops, their system's security is vulnerable compared to an office on-premises security. 

Migrating to a public cloud disrupts the conventional cybersecurity models that organizations have built over the years. Developing new applications and analytics resources means transferring data, technology, and existing employee workload to cloud platforms. The digital transformation is not a problem except that the network system's security also needs to be upgraded and adapted to new cloud-based practices. There are many benefits of cloud-based IT platforms, but equally, the risk of cyberattacks increases as hackers get easier access to VM servers than on-premises ones earlier.   

Here we will look at four critical practices required for securing digital transformation of an organization's IT infrastructure.

    • Cloud-centric cybersecurity model
    • Redesigning entire cybersecurity controls
    • Internal responsibilities vs. CSP (Cyber services provide)
    • Applying DevOps to cybersecurity.
1.Cloud-centric cybersecurity model

Businesses, big or small, need to make an upfront choice on the overall cloud strategy. This would mean the new architecture would include virtual boundaries for managing authorizations in the cloud platform. Also, how new applications will fit into the refurbished IT architecture that aligns with acceptable risk tolerance and available resources. 

Many organizations are tempted to use the existing on-premises control on the new public cloud model. This does not work effectively and can lead to vulnerabilities in many areas.  

The most effective approach is redefining the cybersecurity model in terms of two aspects. One is how the network boundary or perimeter is defined and whether the existing application architectures need to be altered for a cloud platform. Secondly, whether security controls can be incorporated in the application architecture. 

2.Redesigning entire cybersecurity controls.

When the entire operations move from the on-premises physical control to cloud-based virtual management, organizations need to have a fresh set of controls for the entire company. This would entail individual controls for each user and a role-based authorization matrix.

Cybersecurity controls can be categorized mainly into IAM, Data, and perimeter. 

The Identity and access management (IAM) solutions are critical for cloud applications, and data are gradually shifting into the cloud.  Here the role of CSP is crucial as they provide identity services and creates an automated authorization process. This eliminates human factors from provisioning and de-provisioning the access controls to individual users.  

Apart from automation, analytics ensure monitoring of employee behavior based on the monitoring data managed by the CSP. This enables the organization to determine who should be given access to the organization's critical information. This process has already rendered passwords obsolete and multi-factor authentication a backward step. It is the user behavior that will determine the security of the system. 

Data - encryption of data, whether at rest or in motion in the cloud, is a must. CISOs are working on a mechanism where encrypting data becomes more practical and more straightforward. This would include how the encryption keys are managed. The keys ideally need to be managed accordingly depending on the in-house responsibilities and CSP.     

Perimeter – as the business moves to virtual boundaries, so will be the movement of network traffic. Nearly 40% of the traffic is routed through on-premises controls. The hybrid model of on-premises -cloud would mean direct connectivity between on-premises and public-cloud workloads to access applications or data on public cloud platforms. Third-party cybersecurity experts help manage the perimeter that would allow adequate security web gateway, firewalls for web applications, and network monitoring. 

3. Internal responsibilities vs. CSP (Cyber services provide)

Public cloud requires segregation of responsibilities between an organization, its department, and Cloud Service Providers (CSP).  The shared security model would require responsibilities for specific functions. When an enterprise migrates applications and data to the cloud, it is not necessary to hand over the complete control to CSPs. Companies and CSPs need to maintain a clear understanding of what controls the CSPs can provide. Companies can ask the CSPs to give a comprehensive presentation of their security operating models and timely updates as those models change. 

Companies greatly benefit when collaborating with CSPs for a complete cybersecurity life cycle, i.e., from design to implementation and ongoing operations. This is, however, subject to 

  • Complete transparency on controls and procedures of the CSP, including reports on any exposure incidents. Also is important for getting CSP’S conduct security audits and penetration testing.

  • CSP needs to ensure regulatory compliance to the business, keep themselves updated on regulatory changes in the industry, and update their compliance mechanisms accordingly.

  • CSP also needs to provide the threat landscape alerts on an ongoing basis to the management.

  • Providing multi-factor authentication and password management as a part of IAM or IdaaS (identity as a service). 

4.Applying DevOps to cybersecurity.

Aligning the application developers with the security team for faster sign-off is important.  If new applications are held up for the security team's approval, it reduces public cloud efficiency. Making automated security services available to developers through API improves systems agility.   

DevOps is prevalent in an organization when new software features are implemented in the operational infrastructure.  Secure DevOps is therefore important as it integrates security features for the cloud.  Developers also require additional security training to provide adequate support during and after migrating to the public cloud. Training is essential as it helps developers to understand the security features of the tools they are developing they can have can provide better security APIs.

Conclusion

The four practices described above can help organizations structure and implement a public cloud cybersecurity program to strengthen cybersecurity in the cloud. This approach is critical as a digital transformation program can be a complicated task. Businesses have multiple cloud workloads, on-premises and private cloud capabilities, locations, regulatory mandates, CSPs, and overall security requirements to account for.