Stepping into the Cloud Requires New IT Security Tactics - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud
Commentary
5/7/2019
08:00 AM
Connect Directly
Twitter
RSS
50%
50%

Stepping into the Cloud Requires New IT Security Tactics

Adopting a strategy to embrace the cloud should include adequate plans to control and monitor the new environment.

As organizations chase advantages made possible through cloud transformation, it is possible they might tread in spaces their security protocols are not prepared for. Many executives and IT teams may be under pressure to advance cloud migration strategies, but such a push can leave some considerations overlooked.

Security measures that served on premise might not cover all the nuances of cloud computing, hybrid cloud, and multi-cloud environments -- if they are not adapted for the cloud. Some industry players have a few perspectives on what to watch for and how to mitigate security exposure when making the migration.

Image: Monster Ztudio - Adobe Stock
Image: Monster Ztudio - Adobe Stock

The competitive advantages of the cloud include flexibility and potentially lower costs, yet there are new risks that also can come into play. The cloud is also a frontier for a growing number of threats, says Sash Sunkara, CEO and co-founder of RackWare, a provider of a hybrid cloud management platform. That makes security crucial as organizations adopt multi-cloud or hybrid strategies, she says.

IT shops may have issues if developers put sensitive business data in the public cloud without following proper protocols as they work. A focus on security is not intended to limit their usage of new technology, Sunkara says, however there is a need to maintain control. “Shops today already have processes to harden [on-prem] applications to make sure they don’t have holes or become security threats,” she says. Adapting such security resources for the cloud can be part of the solution.

When old methods are not enough

There can be some confusion, however, as in-house IT teams work to secure hybrid and multi-cloud environments, says Tim Woods, vice president of technology alliances at network security management company FireMon. “About half the teams we interface with -- traditional IT security, infrastructure, and firewall management team -- are taking responsibility for the cloud,” he says.

Such teams usually collaborate with DevOps and application deployment teams as well as talk to customers they may have not dealt with before. The speed at which the businesses want to deploy to the cloud can surpass their teams’ ability to secure their environments. “Security teams are struggling to adapt to that,” Woods says.

Lost in translation

Though there might be ways to extend tools and security from on-prem to the cloud, he says some of those features might not translate neatly to the cloud. Such concerns become top of mind for CIOs and CEOs as they review strategic technology initiatives. “They go through this process of needing to quantify their return on security investments for all the different tools they have,” Woods says. That means determining which tools bring value in achieving goals and which ones need to be replaced.

The need to identify and close vulnerabilities is exacerbated by a talent pool shortage in cloud expertise and security, Woods says. Engineers are trying to update their tools and skillsets to meet this demand, but many companies are still on the hunt for such talent. “Some companies are just looking for one or two really good people to train the rest of the team,” he says.

Putting the IT house in order

Establishing order is essential, Woods says, because of the potential for uncoordinated cloud sprawl, particularly in multi-cloud environments. This can include bloated, duplicate rules for firewalls that are introduced along the way. As the complexity of environments increases, if there is a fragmentation of responsibilities and a lack of consistency in following a centralized security policy, the probability of human error escalates as well. Security vendors are creating blueprints, Woods says, that organizations can follow to help establish best practices.

Sunkara says RackWare can create templates based on the security that surrounds on-prem applications that can be used in cloud. It is a way to extend the comfort of security protocols established within the organization beyond their data centers to the cloud. That means making sure there are hardened images, encryption, and rules on who gets access to what and where. This should include an audit trail that tracks usage to better identify and resolve threats.

Sash Sunkara, RackWare
Sash Sunkara, RackWare

Enterprises may have IT protocols and multilayered security strategies in place on premise. That should not change in the cloud, Sunkara says. “It really should be an extension of what they do today,” she says. “You should have the same type of control and processes.”

Simply adopting the security practices of a cloud provider, and assuming those practices will meet all needs, can leave an organization at risk of exposure, which can lead to regrettable consequences. “Once you’re hit, it’s definitely hard to go back,” Sunkara says.

Assessing the weaknesses

It may be worthwhile for an organization to conduct a bit of security “triage” to better fight threats, says Todd Matters, chief architect and co-founder of RackWare. One of the more insidious security threats faced in the cloud is ransomware, he says. “It’s not just about intrusion and stealing your data,” Matter says. “It’s actually about kidnapping your data.”

A triage process can help enterprises better understand what the most sensitive applications will be in a hybrid cloud environment as well as any inherent vulnerabilities in those applications. There are ways to build robust cloud security from existing security infrastructure, he says. Most data centers have already established communication networks and security mechanisms within an organization, he says. That can be applied, with some work, to the hybrid cloud. “We’re really not starting from scratch,” he says.

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
IBM Puts Red Hat OpenShift to Work on Sports Data at US Open
Joao-Pierre S. Ruth, Senior Writer,  8/30/2019
Slideshows
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Commentary
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll