Chances are, if you're moving to the cloud, your organization lacks in-house cloud security skills.
Security should be a top concern in the cloud, especially since data breaches are on the rise and risks can be compounded by a lack of experience. The public cloud moves companies into a self-service world, and that goes for security, too.
It's the entire IT staff's responsibility to protect an enterprise and its data. That takes time and investment, including building a security plan, supporting continuous education and installing processes and frameworks to grow and mature in-house security.
Use these cloud security best practices to prepare your IT staff, including non-experts.
Educate and train employees
If your company plans to migrate to the cloud, you need to set a cloud-education bar for everybody -- technical and business users alike.
This can be accomplished with a combination of on-site and online training. It's also helpful to provide access to various resources, such as webinars and conferences, to stay abreast of ever-changing security threats.
Aim first for entry-level cloud certifications, such as AWS Cloud Practitioner, for all of your employees involved in the migration. The best cloud security is an educated user base, and these certifications are a good way to start that process.
Depending on your staffing makeup, the next step is to look at more technical cloud security training for experienced developers and operations staff. I've seen clients successfully transfer skills to the cloud with the AWS Solutions Architect certificates and the CompTIA Cloud+ and Certified Cloud Security Professional exams.
Train staff on internal cloud security best practices and management processes. Ensure security documentation is accessible to employees through a central repository.
Lastly, always include your cloud-knowledgeable employees in any discussions with your provider as you contemplate your migration. They know the company's technical debt, what's documented -- and isn't -- and have played a role in compliance audits. These are the people who know your operational realities.
Get staff cloud-ready
An IT staff's roles evolve when an enterprise moves to the cloud, and teams need to be able to translate their duties to their new environments so security doesn't fall through the cracks. For example, database admins need to adopt new data backup processes and tools. They should maintain secure, offline copies of their company's data. It needs to be easily retrievable in the event that their cloud storage is held ransom, compromised or destroyed.
Software developers will also have to make changes to their tasks. They might need to: adjust their application design process to emphasize a security-first mindset; integrate cloud-based identity access management into their applications from the start; and implement automated security testing into the development processes.
Ultimately, you need to set a plan for your developers to begin adopting DevOps practices to best support your cloud application development, operations and maintenance efforts.
Put your security plan in place
A security breach can happen whether you have an army of cloud security experts or you're struggling with cloud security with inexperienced employees. You have to put a cloud security plan in place to give your teams guidelines to protect your corporate data and applications.
Even if you already have a security plan in place, take the time to update it and validate it against your cloud environment. Documented processes and policies enable you to act decisively and not give into the chaos. Some elements of a cloud security plan include:
- a risk management plan;
- an identity management strategy;
- the development or outsourcing of employee security training;
- an updated change management and patch management strategy; and
- backup and recovery plans.
Secure your cloud
When dealing with the cloud, it is important to implement access and authorization controls. Multi-factor authentication is a must, especially as cloud apps and storage are made available to business users. One area to focus on is user privileges and access controls. Don't be another statistic that leaves sensitive corporate data wide open to the public.
Data governance is typically handled by database administrators, but you still want to document your data governance tasks in the cloud with step-by-step checklists. Consider cross training other staff as soon as it makes sense, to help ensure data security.
If you already have a security plan in place, take the time to update and validate it against the cloud. Documented processes and policies enable you to act decisively and not give into the chaos.
Consider outsourcing cloud security
Eventually, your move to the cloud may reach a particular point beyond your security comfort zone. Some enterprises that are in a compliance-related industry, such as financial services, choose to outsource cloud security to a third-party managed security services provider.
Resist the urge to bring in hourly contractors to fill your cloud security staffing gaps, as they're susceptible to high turnover. These companies typically hire workers on temporary contracts with limited benefits and no incentive beyond their hourly rate. In addition, these companies charge a huge markup.
Managed security service providers aren't without their own HR and pay issues, but their businesses are typically better suited to compensate staff and move them between clients more seamlessly.