Cloud may be the ‘new normal’, but it still presents something of a confidence conundrum for CIOs when it comes to security.
I have been in cyber-security for a good many years now and along the way have met many extremely talented CIOs. And yet, I can only think of one that would attest to having 100% confidence in the security of the cloud, having secured his entire digital architecture.
I must mention here that this particular CIO was responsible for managing a very complex architecture, serving internal and external customers, with lots of vendors and contractors involved. An environment many enterprise IT professionals will be familiar with. Here is how he did it.
A process of elimination
He started, like many CIOs would, by thinking about security at the overall enterprise architecture level. But he quickly discovered that this approach couldn’t stand up to the avalanche of changes coming its way: users bringing their own devices to work, shadow IT, a variety of vendors supporting the network, and constantly changing compliance regulations to adhere to.
You can’t blame him for trying, though. This CIA architecture – Confidentiality, Integrity and Availability – is the traditional way of assessing the threat landscape, and then defining, designing and implementing security for the network, apps, and users. And, in all honesty, it works perfectly well in many cases.
Sadly, it doesn’t translate to the cloud. It is too centralised and rigid to cope with the dynamics of securing XaaS, shadow IT, identity services and DevOps.
“The going can get tough, especially on public cloud platforms where security responsibilities are shared and, unfortunately, not everyone is aware of their responsibility or knows how to manage them.”
The next logical move was to try constructing his security architecture on the three states of data: at rest, in motion and in use. Yet, even this tried and tested approach cannot always meet the demands placed on it by the complexities and dynamics of cloud.
Back to basics
This CIO decided to put these questions to users: What do you do? What devices do you use? What systems do you access? How do you access them? And from where?
Based on the responses, he then defined his governance, risk and compliance architecture – a crucial stage that many may forget. The assumption is that simply doing vulnerability assessment, penetration testing (VAPT), or a security posture assessment using the Center for Internet Security (CIS) framework is sufficient. Unfortunately, sometimes even this level of assessment isn’t enough for a truly comprehensive, cloud-ready security architecture.
Now, even though our CIO had all the basics, he still didn’t have a full real-time view of all his security. So, he added a layer of security information and event management (SIEM). With this in place, accessible through a single-pane-of-glass dashboard, he finally had a near perfect hybrid security architecture. I say “near perfect” because it is hard to create a completely faultless security architecture.
Talent wins games, but teamwork wins championships
Our CIO, of course, did not undertake this hefty transformation alone. He worked with specialist technology partners to assess and build the architecture. As cyber-threats continue to grow in scale and complexity, enterprises often struggle to keep up and ensure they have the skills and very latest tools to protect themselves. Working with a security specialist gave the CIO peace of mind, as he was able to tap into state-of-the-art cyber-security technologies and leading experts in the field. Tata Communications, for example, provided several components, including SIEM, and integrated them into the overall framework, helping to effectively simplify cloud security.
Key learnings
Over the years, I have seen the ever-growing adoption of cloud driving a clear trend towards the kind of hybrid, integrated security architecture that our CIO implemented.
The first step on any successful cloud security journey is knowing where you’re starting from. This might seem like a back-to-basics approach for some, but it can yield near perfect results if matched with real-time technology.
“The lesson here: secure your cloud before it bursts – and avoid a deluge of security issues raining down on your head!”
Read Raj’s previous blog on how to avoid turbulence in cloud environments.