Talk About Cloud First or Get There Last
By: Phil Swaim
This blog post is the first part of a series of posts on the Cloud. Later posts will cover topics such as Role Based Access, Identity Access Management, Key Management, DevOps, the need for virtual network services.
There is no doubt the greatest innovation in IT of the last 10 years has been the public cloud and virtualization. Being able to deploy resources for storage, computing, and communication with 0 capital expenditure, little risk of failure, little expert technical knowledge required (especially true for SaaS offerings), and a near 0 barrier to entry has provided startups and well established enterprises the ability to rapidly develop and deploy new applications and expand business operations in a scalable on-demand fashion. According to RightScale 2017 survey, 89% of their respondents were using the Public Cloud and 95% were using either Private Cloud, Public Cloud, or a Hybrid of the two.1
Obviously the majority companies were not surveyed and it may be that you are in a company that hasn’t adopted any cloud technologies or is just beginning to discuss the matter. It is important as a security manager, director, or executive to be one of the first voices in the room to talk about Cloud strategy. This sets the tone from the beginning to include security in all developments.
Cloud strategies usually crop up a few ways.
- An application/web developer decides to open an AWS account on their own credit card and use it as a test environment. They may or may not be using company data to do it. Later their group thinks their implementation is great and it gets adopted as a production model. Security is called before the go live date to make sure vulnerability scans pass clean or a firewall rule on premises is opened.
- Knowledge workers are not aware of tools and software at their disposal or currently dislike the ones they have and decide it is easier to use a “free” SaaS Cloud service vendor to process orders, take notes, or store forms of company data. Security may or may not discover these breaches of data at a later time.
- Executives above the security director have decided to move applications and data to the cloud for various reasons and engage infrastructure and development teams without security’s knowledge. Security is only informed this has happened when the infrastructure and development teams need security baked in at the end.
As most IT professionals for any respectable length of time know well, it is hard to change infrastructure after it is in place. Luckily the Cloud makes it easier to change, but the business can many times still be uneasy about such change when current systems work in a profitable and acceptable manner. So it is imperative to be involved at the outset to ensure a secure policy and design.
A few consequences of moving to the Cloud discussion last includes not having visibility for the attacks that threaten your environment, not being able to design access according to sound policy, and a consequence could even be similar to many government entities which have been in the news over their AWS S3 buckets pillaged by public scanners. It is also almost always the case that unplanned cloud implementations will be more expensive than planned implementations.
Developing a Cloud strategy is key. Being the first to drive it is just as important. Even if the decision of the company stakeholders is that Cloud is not going to be used, at least the matter has been discussed and all key decision makers are familiar with who will need to be brought into a discussion the next time Cloud is discussed.
1. citation: https://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2017-state-cloud-survey