We have seen a mass migration of data and applications form local datacenters to the public cloud. Now while the cloud is not perfect it has a lot going for it. The positives include an elastic, resilient and fault tolerant architecture. The cons are that its highly configurable and requires the proper controls, monitoring and service architecture to make it secure.
So there are several questions that security leadership must confront and ignoring the cloud is no longer feasible. Here are some questions to reflect on before engaging with infrastructure, application and DevOps teams.
Part of the misconception surrounding cloud security has been the preoccupation of the underlying hardware, hypervisor and shared public hosting. This centered around hosting compliance reports and certifications generated by cloud vendors (AWS, Azure, Google) essentially saying they run a tight compliant ship. They in fact don’t mix their clients peanut butter and chocolate. These are critically important but should not be confused with securing the highly configurable cloud services and understanding the shared responsibility model. We should be able to stipulate that AWS, Azure and Google can run a datacenter better than most and better than most governments. The vulnerable pieces of the puzzle are, how data and services are configured and how anomalies are monitored. Errors or omissions of the smallest variety can expose sensitive data and lead to a breach.
Where should we start. There is only one place to start and it’s with the security organizational design. Cyber cloud security must be more decentralized and work closely with developers, platform engineers and architects. This has been traditionally the role of a cloud security architect and this is appropriate for smaller or early adopters of public cloud. Larger and more mature cloud consumers need security in the trenches. This has brought about a relatively newer function called “DevSecOps”. Ideally, (cloud, security and enterprise) architects set the overall strategy, controls framework and evangelize the security design and requirements. This new functional group of (DevSecOps) security engineers help DevOps work through the security design and best practices. The goal is to create the proper feedback loops so the security gates can be adjusted to emerging challenges to their adoption. This shifting to the left, allows security to Continually Improve and Continuously Deliver at birth rather than security as a painful expensive afterthought. This investment has to start at the organizational level, bring security to the trenches and security will continually improve.
By Mike Donovan