How to build security into cloud after a hasty adoption

The burden of cloud security is split.

Service providers protect the infrastructure and underlying compute power from malicious actors, but the enterprise retains responsibility for configuring the security of workloads and operations.

Google Cloud acknowledged this split when it entered the cyber insurance market earlier this month. The partnership with Allianz Global Corporate and Specialty and Munich Re, forming Google's Risk Protection Program, is intended to reduce cloud risk with a diagnostic tool to assess risk and streamline the insurance underwriting process.

Moving to the cloud can be scary as the enterprise embraces the unknown and navigates how to secure it. With the addition of cyber insurance offerings, Google is essentially saying, "let's make this a little bit less scary for you," Jadee Hanson, CISO and CIO at Code42, said.

But cyber insurance "should be more about what does your holistic risk landscape look like, where do we have data risk, and a little bit less about cloud versus non-cloud," Hanson said.

Trouble with cyber insurance can also arise if coverage doesn't quite match what the business truly needs, according to Nate Smolenski, CISO at Corvus Insurance.

"Oftentimes people buy insurance that [they] may never use or might not necessarily be the right fit," Smolenski said. For example, if a company accelerated digital transformation, it may be facing a new IT landscape that requires different insurance coverage.

The enterprise needs to first understand what regulations it needs to comply with and then how to maintain visibility over what users may be doing, according to Smolenski.

A more notable part of the Google Cloud offering may not be the cyber insurance, but the visibility it provides into the cloud architecture. While the hasty adoption of many apps may have clouded visibility into the infrastructure, organizations reinstating clarity can build stronger security postures.

In a rush to the cloud for business continuity last year, some organizations skipped security in favor of speed to adoption. Now, nearly every organization — 96% — is concerned about their cloud security, according to a July 2020 Sophos report surveying more than 3,500 IT managers.

Security is "a little hard to do after the horse has left the barn and you're already doing cloud," but it's still possible to retrofit to address long-term security challenges, said Smolenski.

Cloud computing security

The security basics for cloud adoption include access control and data exfiltration, according to Hanson. Especially in a remote environment, the traditional perimeter dissolved and companies require a better understanding of what information leaves and where it goes.

"It first starts with just setting the tone, getting an understanding of the risks that we now have," Hanson said about cloud computing. "The second step is implementing the right controls. The controls look different in this type of environment."

At Code42, Hanson said the teams involved in the cloud transition went through certifications and training to better understand how to keep it secure from the get-go. Hanson also recommended security and development working closely together to build in security from the beginning.

Many of the controls in the cloud computing environment are easier to use because of automation and other factors provided by vendors.

To gain visibility, "automation is a requirement," said Jim Brennan, chief product officer at BetterCloud. Whether it's automating workflows to deal with configuration settings or offboarding user accounts, automation accounts for the scalability many businesses rely on.

Enterprises need to consider how they manage those configurations and how to apply consistent policies, according to Brennan.

If an organization lacks in-house cloud security expertise to do so, it can tap vendors or other managed service providers to deliver those services, according to Rick McElroy, principal cybersecurity strategist at VMware Carbon Black.

McElroy recommends building a solid communication process with cloud service providers to proactively prepare for a breach inside of the cloud environment.

"Organizations should invest in workload security microsegmentation, as well as identity and access solutions that are built into their cloud stacks, rather than bolted on after the fact," McElroy said. In other words, security should be intrinsic to the technology.

SaaS-based app security

Use of SaaS tools increased during the pandemic as employees turned to applications to sustain operations. The average business deploys 88 apps this year, compared to 72 apps in 2016, according to Okta's Businesses at Work report.

Cloud security becomes less manageable when employees bring in mobile devices and other outside SaaS applications, according to Smolenski.

Security threats lay behind these SaaS applications. When business data or files are shared to external parties, it could fall into the hands of competitors or malicious actors creating a data security liability, according to Brennan.

At the same time, the SaaS applications keep the enterprise in business in a mostly remote and digital environment. Across business units, leaders are tasked with maintaining capacity and security simultaneously.

"In order to keep the organization productive, really hard to get a handle on that, and have the right visibility on it without completely locking it down and bringing the company to a screeching halt," Hanson said.

Visibility into all applications and other SaaS-based programs in the environment is the first step.

Companies leaning on those SaaS-based applications and repositories need greater visibility across the environment, file sharing protection and awareness of potentially sensitive data to incorporate better security standards, Brennan said.