nobeastsofierce - Fotolia
The pandemic has accelerated many organizations' digital transformation efforts by prompting them to transition quickly to the cloud. Ever-evolving cybersecurity threats continue to increase, and without a clear strategy or roadmap for security, hastily executed cloud transitions could expose organizations to additional vulnerabilities and threats. The cloud environment, by the very nature of being virtual, often requires multiple layers of security, or different types or layers of security.
Organizations often apply one of these two strategies to their cloud migration:
- Lift and shift. Simply taking an exact copy of their on-premises environment and copying it to a cloud environment.
- Platform modernization. Again, taking a copy of what is on premises and copying it to a newer platform without consideration of the current applications or architecture.
These default strategies are often deployed because organizations could not -- due to the sudden shift away from the office in response to the pandemic -- or did not do the heavy lifting of examining the current state. I will outline the foundational principals for an organization that wants a successful and secure digital transformation and movement to the cloud.
Conduct an IT inventory and architecture layout
The first order of business is to do a rigorous inventory and architecture layout of all IT components. This includes items such as: physical and virtualized servers, operating systems, databases and data storage, physical and virtualized networking components, etc. The second is to document all locations of the organization's data.
These two steps need to include those computer operations that are outside the traditional IT department, often referred to as "shadow IT," which, as ISACA's recent white paper on multi-cloud security points out, can be problematic.
Identify IT-supported business processes
The third step is to identify all business processes being supported by IT (accounting, human resources, accounts payable and receivable, billing, shipping, etc.). Organizations need to look deep into their business processes to understand the data transactions and flows. Understanding a system to this granularity reveals risks and gaps in security that may exist in the current environment. The goal would be not to replicate those security gaps in the cloud environment.
Foundational security considerations
Once the strategy is set for digital transformation and movement into the cloud, there are several foundational security factors that need to be considered. The security rules that were applied in the on-premises infrastructure and applications still apply in a cloud environment. However, additional security measures need to be taken as well. When it comes to data in the cloud, identifying and protecting your most important assets is a must.
High-value asset protection
First, establish information protection priorities. Develop clear, simple and well-communicated guidelines, then establish the strongest protection for the "high-value assets" -- the data that can have a disproportionate impact on your organization's mission or profitability. Be sure to establish the appropriate security access measures and controls. Consider that cloud resources are accessed via publicly available networks (internet) and enable an encryption strategy for both data in transit and data at rest.
Additionally, be sure to factor in data privacy and build in the needed technical privacy solutions:
- Data ownership: It is your organization's data. Understand the type of data and assign data owners.
- Data access: Who in your organization can access and use the data?
- Data segmentation and privacy controls: Does your organization need to comply with the European Union's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA)?
Expect to deploy multiple security strategies
In a cloud-enabled environment, for each type of service, a different security strategy is needed. The various services are:
- Software as a Service (SaaS): Applies to licensed software (Office 365, Salesforce, etc.). This needs data governance, rights management/entitlements and access and identity management security controls.
- Platform as a Service (PaaS): Applies to proprietary software developed specifically for your organization. This needs the SaaS security controls and identity and data infrastructure (such as development, test and production). Additionally, many of the IT general controls are applicable here, as well as separation of environments and segregation of developers, testers and deployment capabilities, just to name a few.
- Infrastructure as a Service (IaaS): Software that runs virtual machines and operating systems. This also requires SaaS and PaaS controls, and adds an additional layer of privilege access management and monitoring.
Developing your cloud security strategy
The key to success in cloud transitions is taking a methodical approach to cloud security. Be sure to revisit the governance and security policies to ensure that they are updated and aligned with the new cloud architecture and structure. Consistent policies and access controls for privilege and administrative access are a must for cloud security. Many organizations use existing identities for cloud services, which are often insufficient. Cloud identity needs to be secured at or above the level of cloud services.
Cloud security is not guaranteed, but if you take the time to design a strategy and roadmap, and apply security rigor, principles and controls at all layers, the organization will minimize the risks of security threats to the organization.
About the author
Pamela Nigro, CISA, CRISC, CGEIT, CRMA, is an ISACA board director and vice president of information technology and security officer at Home Access Health Corporation. Nigro is experienced in governance, risk, compliance and cybersecurity focusing on the healthcare and insurance industries. She is a recognized subject matter expert in HIPAA, HITRUST, SOC 1, SOC 2, Sarbanes-Oxley (NAIC-MAR) and IT/cybersecurity controls and risk assessments. Nigro is also an adjunct professor at Lewis University, where she teaches graduate-level courses on information security, ethics, risk, IT governance and compliance and management of information systems in the MSIS and MBA programs.