Sage Advice - Cybersecurity Blog

Five Cloud Security Lessons

PeerPanel-BlogDuring the closing session of the 2019 CyberCrime Symposium, we heard from Tyler Cybersecurity clients and our partners at Amazon Web Services (AWS) about their experience using cloud services. Each person brought a different, but insightful perspective to the table and shared what’s been working for them (or not) in the cloud. Let’s recount the top lessons we learned from the session.

1. Start small and embrace change.

A panel member who works at a local bank was asked about lessons that they’ve learned since migrating to a cloud service provider. His answer was simple: organizations should start small and learn to embrace change.

When the bank started thinking about using cloud services, they were facing a workforce challenge. They had a small team that was supporting a high volume of security practices and updates, which was anything but efficient. In order to effectively drive their core business, something had to change with their security landscape.

Moving some services to the cloud would alleviate some of their workforce challenges, because they would be able to rely on the expertise of their cloud service provider should disaster strike. The bank decided to start small. They only migrated to Microsoft® Office 365 because tackling one challenge at a time was best for the organization from a risk and compliance perspective.

Once the team fully embraced this change, the organization saw their security resiliency increase. After all, at the core, they are bankers, not data center providers. Of course, operational awareness is always important, but instead of doing it all, the bank was happy with their decision to move some of their information systems and security operations over to the cloud – thus, leaving more room for security staff to focus on other in-house efforts, and reporting available from the cloud providers.

2. Know your vendor.

Other panelists discussed the importance of building trust with your cloud service providers. Like with all third-party service providers, it’s important that you understand the controls your cloud service providers have in place, and that they are on par with your policies.  When assessing cloud vendors, assess things like network segmentation, monitoring, management of infrastructure, and concentration risk.

Being able to trust in your cloud service provider is also imperative on your journey to implementation. Common questions our panelists had for their cloud service providers included:

  • Will the access control list work?
  • How do we use a firewall in the cloud?
  • How does the vendor protect their data center?
  • How to they keep our data separate from somebody else’s?

It is your responsibility to ask the necessary questions before, during, and after the migration, so that you have clarity and trust in the vendor as your network host.

Learn more about how to access the security of your cloud service providers here.

3. Documentation is the key to success.

Another panelist mentioned the importance of documentation. You must do your due diligence and make sure that you are satisfied with what the cloud service provider will provide. And all the hard work you’ve done needs to be documented. Maintain an organized library of all the documents provided by your cloud service providers.

Documentation is especially important in a highly regulated industry such as financial services or healthcare because they have frequent audits and examinations. Auditors like to see that you have a regular and documented dialogue with your cloud service providers.  Being able to prove that you have an ongoing, viable conversation with the vendor, including always bringing issues forward and working with the vendor to solve them, will create a great relationship with the vendor and help you with the process of Internal Audit or regulatory examination.

4. Benefits are vast but challenges exist, too.

When an organization is trying to make a change, like moving critical services to the cloud, it’s best to weigh-out the pros and cons before making the switch. But what about after you’ve made the switch? Of course, there are many benefits to cloud hosting but no matter what, there will always be growing pains.

For one Tyler Cybersecurity client, the biggest security challenge when moving to the cloud had to do with how they were making the switch. A month into their move, they were reminded that they were, in fact, in a completely new environment and they had to adapt to that. The security team had to change operationally how they think about their network and shift their mindset that it was no longer on premises. Today, their perceived loss of control at the beginning of the switch has been mitigated with constant education, communication, and an internal culture shift and they are now reaping the benefits of their chosen cloud vendor.

Additionally, outages have been particularly challenging for the organization. In the cloud, there is nothing you can do about it – you must wait for the host to come save you. Thankfully, there are online resources (i.e., YouTube) that the team uses to help them learn and figure out how feel confident operating in the cloud themselves. Knowing how to respond to problems, absorbing changes and new rollouts from the cloud service provider, and staying in constant communication with the host is key to a successful partnership.

5. Preparation is key.

It’s not easy to migrate to the cloud. On average, it takes 3-5 years and can be challenging for any team who has not worked with that vendor before. In order to succeed, organizations should prepare for the migration beforehand. Part of that includes taking an assessment of what you currently have on premises. What are your workloads currently? What do your customers expect? What level of tolerance do you have for outages during the migration?

In order to have a smooth transition, staff should assess the landscape and understand that the organization is not more or less safe in the cloud than they would be on-premises. Education, training, and most importantly being comfortable with change is crucial to maximize success in the cloud.

Risk-Assessment-CTA-728-x-90

Topics: CyberCrime Symposium, Cloud Security

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More