February 10, 2020 By BlueAlly
By Joan Ross
Developing a unified security technology approach across all computing environments is necessary for secure business operations. It’s also easier said than done. Over the last ten years, the cloud has increasingly been adopted to extend business efforts for a variety of reasons:
- Easily accommodates new engineering efforts.
- Sustains new acquisitions already operating within the cloud.
- As a business cost-cutting measure to reduce capital costs, contract costs, and opportunity costs.
- Contains mission critical business systems with more focused security controls.
- As a warm site for BCP/DR efforts, meeting the global security standard for regional diversity.
However, the cloud is also another attack surface that can be challenging for the CISO of an organization to adequately secure. Often, elements of the business have been moved to the cloud without the benefit of a comprehensive security design. That’s because business strategy often moves faster than security analysis. As a result, engineering teams are often computing within their chosen cloud environment, and sometimes across several cloud environments, before the CISO has been included to assess or set security standards to protect the business. Security applied backward is never advised. Regardless, even then it must be done, and done well.
When a security professional surveys their cloud computing landscape, there are three needs they need to address:
1. Visibility:
Any CISO is going to require a complete view of their cloud environments as it’s an essential part of the business ecosystem. This includes reporting, monitoring, and alerting of authorizations, access, and key activities within the cloud and across cloud environments. Ideally, even if multiple clouds are in use, the controls and reporting are consistent across all environments. Otherwise, the CISO is lacking necessary security assurance capability.
2. Analytics:
Developing and evolving a security strategy that’s inclusive of cloud operations, that’s effective in implementation, and that achieves the INTENT of the business across the entire ecosystem requires detailed analytics. What security information is missing? Would you know if an employee was accessing or uploading unauthorized material or programs, or downloading PII or intellectual property against company policy? If the cloud is used for BCP/DR, does it adequately match and sustain operations at the same levels as the current production and enterprise environments?
3. Reliable Execution:
Obtaining buy-in for unified security strategy and controls from engineers that may be familiar, invested, and certified in other security technology solutions can be challenging, especially since most major vendors have cloud-ready solutions. Ensuring that every security investment strengthens security holistically as opposed to one-off solutions that don’t perform, however, is essential. Every executive currently has a tools optimization program where millions of dollars have been invested over time that now needs to be reduced to eliminate solution and vendor sprawl and related overhead expenses. At the same time, even small gaps in cloud security introduced through the implementation of non-integrated systems can lead to major breaches.
What if your business is almost fully operated within the cloud? This is the easiest way for startups with investor funding to form, and organizations in this situation need to avoid the same sort of vendor sprawl and limited functionality caused by implementing isolated security solutions that more traditional networks have been wrestling with for years. The same issue around compatibility and consistent functionality also applies to new acquisitions that may be transferred to the cloud rather than to continue funding hardware assets.
Building for the Cloud
I spoke with Bob Fish, who runs the cloud security program for Electronic Arts (EA) and with whom I have worked with for over ten years. We were both fellow architects at Microsoft Online Services Security when Azure was first being launched. EA is a leader in the online gaming industry and uses cloud services for many of its development and production environments. As such, their engineering focus is designed specifically for the cloud and developed to take advantage of dynamic cloud capabilities and online transactions. This concept of building specifically for the cloud is becoming mainstream, as opposed to directly transferring established applications from a data center to a cloud environment.
Bob says, “The demand driven nature of our gameplay environments lends itself to dynamic cloud environments that can scale up and down as business needs dictate. This presents unique security challenges that are not present in static on-prem environments.”