As a business or security professional it’s all too easy to become overwhelmed by the availability and range of cloud services. Often organisations discover that their technology footprint or stack has changed almost unnoticed and other times it seems to be changing at a frightening pace.
Fortunately, security principles and risk management best practices still apply in the cloud world. These principles just need to be applied in the appropriate way for the resources in use. This is sometimes easier said than done!
What do we mean when we talk about cloud?
I like to break cloud into 3 areas:
Things like Gmail, Workday, or Salesforce. These would be Software as a Service (SaaS)
Cloud native development
Creating and deploying services in a cloud native way and not necessarily running them in public cloud. Typically breaking applications into microservices, utilising ephemeral runtimes. The Cloud Native Computing Foundation is a good place to start on this.
For each of these areas you want to identify what you are using or what you’re going to use while also considering what regulatory or company standards you need to apply. Do you have to consider data sovereignty? What types of data are you storing in those services and what happens in the event of data loss/breach?
Once you have considered these factors the big question becomes what are your responsibilities? Cloud services operate a shared responsibility model. If I’m making use of S-a-a-S then the areas that I need to secure are vastly different from if I’m using IaaS and spinning up virtual machines in the public cloud. The CSPs spend considerable time and money to ensure that their responsibilities are fully covered and they are fully compliant. Unfortunately this gives rise to the myth that the public cloud is by default more secure. Though it certainly has the potential to be more secure that’s not typically the case.
To use an analogy that can be visualised in the real world, I can have the most securely designed bank vault but if I choose to leave the door open then the manufacturer can hardly be liable for any losses.
Now you know what services you have you need to do asset discovery and tracking for those. Efficient use of cloud services means that resources will be much shorter lived than would be the case on premise. A weekly scan for assets is no longer enough. The good news is that having identified which parts of the cloud I’m using (SaaS vs other services) I can focus my efforts in the places that are my responsibility.
This then ties into a change in the way we are working and the emergence of DevSecOps to bake security into the development process.
This places a tremendous strain on security departments and brings in a whole new area of security management. Gartner defines cloud workload protection platforms (CWPP) as “workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures.”
You’ve now looked at what you’re using, what you’re storing there, what’s in your remit to configure, and what you can do to bake this in from the start. It seems like a lot because it is. Fortunately, it is achievable when broken into chunks. We’re here to help. At Palo Alto Networks we ensure each day is safer and more secure than the one before.
This insight is part of techUK's Cloud Week 2020. You can find related news and insights here.