For the first time in its 10-year history, the CyberCrime Symposium featured breakout sessions, a nod to past-audience requests for content tailored to different functional roles. The sessions, offered on both days of the event, comprised two separate tracks — one technical, the other on risk and compliance.
The first day’s technical track explored important technical considerations for attendees moving to the cloud. In this interactive session, Jeremy Ward, senior ISO at Tyler Technologies, drew upon lessons he’d learned while working at various companies who’d been at different points in their cloud journeys.
Information security officers face a slew of technical issues as their organizations push to go to the cloud, according to Ward. Potential returns on cloud moves include cost reduction, scalability, and shorter time-to-market cycles. Indeed, Ward said, a well-orchestrated cloud migration can deliver these and other advantages — including, in many cases, better security. However, it also introduces new security challenges.
CISOs and teams need time to get up to speed on security practices and tools that will support their migration to public cloud environments. Not so easy, if their organization’s leaders are blinded by cloud-shine and underestimate the demands of a move. If they hit the gas on the migration process, they can become a security challenge themselves, impeding CISO efforts to conduct critical due diligence.
This Old House Plus That New One
To illustrate, Ward analogized cloud migrations to long-time home ownership, where residents have spent years acquiring the right furniture, appliances, and other trappings, while learning how the structure functions. Eventually, they decide to move to a newer home, with the all the latest bells and whistles. They’ll need time to transition, as they consider what to take, what to discard, and what new items they’ll purchase.
In Ward’s analogy, the existing home is an organization’s traditional data center and IT ecosystem, while the new pad is the cloud. If homeowners sell the older house, they can put all their resources into the new one. If they keep both, they’ll need to maintain both.
CISOs and CIOs don’t have that choice. “Some business leaders view cloud migration as a wholesale move,” said Ward. “They think they’ll eliminate the data center and immediately go straight to the cloud.”
But that’s rarely an option. “We all have corporate infrastructure and systems that will still need to be managed in some sort of data center, even if it’s in a closet somewhere,” he added. “Five or ten years down the road, a lot of companies will still be maintaining and securing their data center, in addition to their presence in the cloud.”
Expectations, Meet Reality
How do leadership expectations for the cloud match-up with reality? Beyond believing the cloud will get them out of the data center business, organizations expect to see such benefits as:
- Cost savings
- Scalable architecture
- Better security
- Self-governance via the current structure
The reality? Ward said the cloud could deliver on most of these expectations. “It depends on the money and resources organizations apply, and how much time they dedicate to understanding cloud intricacies, rather than just arbitrarily migrating things,” he added.
Security governance is another matter. Many organizations don’t understand their current governance structure, so they don’t know if that structure will translate to a cloud world. With capabilities and functionality not available in traditional environments, public clouds may defy governance structures geared for on-premise data centers.
“CISOs and associates leaders should plan on modifying their governance structure,” said Ward. It’s not likely that systems moved to the cloud will run exactly the way they did in-house, he added. So, before starting any migration, tech and business officers should review procedures, controls, and processes that govern day-to-day operations in their existing environment.
Challenge Assumptions in a Borderless World
Then, there’s security management: the cloud can deliver significant security advantages, but it’s surrounded by uncertainty. “We don’t yet know all the security disadvantages of cloud operations,” Ward said.
Info-sec teams have long focused on hardening the fixed perimeter — via firewalls, IDSs, and IPSs — surrounding the data center. They are going to need enough time to learn how to manage security in the cloud, where borders aren’t clearly defined and always flexing.
The same goes for users in other departments. To leverage systems hosted in the cloud and related security practices, employees need specialized training. Ward advised attendees to take advantage of free CSP training as well as to budget for paid training programs.
Further, all employees should understand they’re key contributors to a strong security posture. Ward recommends tapping those that are excited about cloud capabilities and make them peer leaders. Teach them basic security concepts and regularly quiz them on, for example, security controls they’d apply in different situations.
With info-security staffs stretched to the limit, this secondary line of workers, versed in fundamental security practices, can become am extension of the dedicated security team. And who knows? They may get hooked and decide to make cloud security their career.
That Doesn’t Translate
Staffing should be another priority, according to Ward. Many business leaders assume that security and IT pros protecting and managing on-premise systems can simply transfer those skills to cloud environments.
“As security professionals, we should challenge that assumption,” said Ward. “Ask these leaders how they plan to augment staff to support these new technologies.”
The same goes for database administrators and system administrators that are crushing it in traditional data centers. “Cloud requirements are different, so you can’t expect them to immediately perform at that same level,” Ward said. Meanwhile, as they develop new cloud skills, they’ll have to handle all their on-premise duties. Until the migration is complete, IT teams will manage both environments simultaneously.
Cloud migration, with its complexion and complexity, demand careful planning and execution, with security considerations top of mind. “This cloud thing is happening,” said Ward. “As security professionals, we should take this opportunity to share our knowledge, provide feedback, and help ensure the move’s successful.”
In fact, Ward advised attendees to try to slow the move to the cloud, especially when things get frenzied. Then, there’s time to build-in security from the start. Security teams should work closely with their CSP partners, starting with the most difficult jobs — like network segmentation — out the gate, and make informed decisions on every aspect. The jump to the cloud’s simplified a bit when there’s no need to back out changes or resort to bolt-ons.
This is the third in our series of posts presenting key takeaways from our 2019 CyberCrime Symposium, held Oct. 17-18. The program — Cloud Security — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, don’t miss upcoming installments.