How To Maintain Control When Moving To The Cloud

istock 639112418

Organizations of all sizes and across all industries are embracing a cloud-first strategy. Cloud services offer efficiencies and productivity, agility, and cost savings. It just makes sense for many organizations to move from private networks and data centers to public cloud, hybrid solutions from multiple geographically distributed service providers. 

But many CISOs appear to be hesitant about fully committing to the cloud, and particularly to moving their IT infrastructure and critical workloads to the public cloud. Why is that? In most cases, they’re worried about losing visibility and control of their IT resources and data. 

While CISOs have an understandable desire for control, ironically many of us don’t really know what’s in our IT environment, which means we have less visibility and control than we think. One interesting observation from recent ransomware and wiperware outbreaks was that few organizations had accurate records of what IT resources were operating in their environments or even the status of the known systems. While this is due in part to the rapid adoption of things like shadow IT, it is also frequently the result of such things as personnel changes and mergers and acquisitions. For many organizations, conducting a full network analysis before transitioning some or all of their network resources to the cloud is the first time a CISO or CIO is able to scope a full and accurate view of what their IT ecosystem looks like. 

In many cases, we also have little to no insight or control over what devices employees bring to interface with our network, and at the same time we also have a limited view into what’s happening in our supply chain. And far too often, our organizations also don’t know whether or not our partners are secure, or whether partner connections into our network are as protected as much as we’d like them to be. In many cases, those connections aren’t even actually being monitored. 

In addition to a lack of insight into our own environments, there are several key issues that need to be addressed as we consider public and hybrid cloud solutions. The first issue we must address in any move to the cloud is whether this will unify or further divide our IT environment – adding greater complexity. Because many organizations are still using disparate point defense products or platforms rather than an integrated security fabric approach, we don’t have a good understanding of our IT environment.  This is the reason we lack deep visibility and control in our networks. Simply put, it s difficult to protect what you can’t see and impossible to do it at speed and scale. 

Which is why it is imperative that we understand what strategies and solutions cloud providers have available. We want to ensure that the security deployed in our local network will be interoperable with the security in our cloud ecosystem in order to establish unified visibility and control across the distributed network. One of the first questions to ask is whether the cloud service provider can support a unified security framework across the legacy network and the hybrid cloud solution. 

Another critical issue for CISOs considering a move to the cloud is the commingling of data. This issue needs to precipitate a serious conversation with your cloud service provider, including: “How do you protect my data from being commingled with other data?” “How do you ensure that my employees, and only my employees, have access to my company’s data?” and, “How do you ensure the state of my data?”. 

Having the right security tools on both sides of a cloud deployment should also play a critical role in making a decision about transitioning to the cloud. Organizations should seriously consider employing a cloud access security brokerage, or CASB. This is a service that provides deep insight into the state of your data in the cloud, and can tell you such things as who’s accessing your data and whether data is leaving the cloud environment.

In addition, you also need to make sure that the hypervisor your service provider is employing can scale to meet your growing needs, and can also provide the level of automation and orchestration needed across your traditional SP WAN as well as for your network function virtualization issues. This visibility and extended functionality can help ensure you have a consistent look, feel, and granularity of administration as you move data across your private network and into a public cloud environment. And while we’re on the subject, the majority of organizations today use multiple hypervisors in their environments. In order to maintain visibility and control across your various cloud and network ecosystems, therefore, it is important that you select and deploy security tools that are compatible with a variety of hypervisors. A security fabric-based approach ensures device integration and interoperability by design – reducing complexity and risk while accelerating time-to-market and ROI realization. 

A word of warning, however: one of the things you have to remember about public clouds is that while you are renting resources from your cloud provider, you are actually the owner and the responsible party when it comes to the security of data and applications housed there. 

Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and Software-as-a-Service (SaaS) providers are not responsible for the security of your data and applications that reside in their cloud environments. As a result, CISOs and other IT professionals should first carefully consider the criticality of their data and the readiness of applications for cloud migration. For example, depending on the regulation and country, certain data may not be allowed outside that country or region.  

You should consider whether it’s appropriate to move some or all of your data and applications to the cloud, as well as whether the service provider has the tools, resources, and expertise necessary to manage and secure it. Which also means that when you’re evaluating whether it’s time to move applications to the cloud, you need to make sure they are cloud ready and can be tested and secured in that cloud environment. 

Moving to the cloud provides a lot of advantages to organizations undergoing digital transformation. Many organizations that do not leverage the power and flexibility of cloud computing will find that they have a distinct competitive disadvantage. However, transitioning does not come without risks that need to be fully understood. To get started, you need to review your compliance requirements and existing network resources, as well as your security strategy. Ultimately, you’ll need a cloud service provider that can deploy appropriate security measures and support a unified a security framework across today’s expanding and highly elastic network ecosystems.