Shawn Mall brings more than 15 years of technical experience to his current role. As an enterprise architect, Mall helps clients develop data center and cloud solutions that meet both business and technical requirements. Mall’s broad technical background consists of strong routing, switching, multiprotocol label switching (MPLS), software defined networking (SDN), VPN, firewalls, intrusion prevention systems (IPS), content filtering, tap and aggregation, VMware, NSX, Cisco Application Centric Infrastructure (ACI) and Amazon Web Services (AWS).
Reducing Risk in the Cloud: What You Should be Thinking About
A few years ago, companies were starting to explore what the cloud was, what it could do, and how it could save them money. Today, companies are adopting cloud computing faster than ever. Developers love having the ability to enter a credit card number and be up and running on an application or program in minutes – without having to wait for IT to provide the software or hardware they may need.
However, this on-demand access provides its own challenges. Now that anyone can spin up a private cloud (for development or production), the process of deploying a tangible application is outpacing the implementation of security controls, and increasing risk for your organization. The sheer speed at which someone can build an application in the cloud and generate volumes of data is incredible. The same goes for companies who use software as a service to protect their data. This is why it is so important to implement the same controls in the cloud that you would in your own data center.
Organizations are looking for equal (or better) controls, visibility, and protection in the cloud as their traditional network. But the biggest challenge is understanding what is out there to help mirror, or enhance the security posture in the cloud since the approach is different. The entire cloud landscape doesn’t fit the traditional mold of data center security, and requires out-of-the-box thinking on how it should be implemented. Some simple questions to ask at any stage of cloud deployment are:
• What is the worst that could happen if my application or its data is lost or stolen?
• What applications or data should I move to the cloud (it doesn’t always make sense to move everything)?
• What is our organization responsible for in the cloud?
• What is the cloud/service provider responsible for?
• How can our organization mitigate risks in the cloud?
It is also critical to place controls on the cloud services since their accessibility makes them an easy target. You need to know who is doing what, when they are doing it, and where they are doing it from in order to control the environment (i.e. Susie lives in San Francisco but was just accessing the corporate Box account from China). There are products that can simplify provisioning of user accounts and allow you to better audit who has access to what, using federated access control. You can also setup API proxies that can watch/block/allow all calls being made to your cloud provider or session recordings to replay what an admin (think Snowden) or developer was doing at a time in question.
Lastly, you should automate as much as you can. With the advancements in cloud automation and provisioning, there are numerous opportunities to add security to the process. I would argue there should be very few excuses for not baking security into a solution. Once you automate the security processes into your automation center, security becomes more efficient and predictable and also increases time to deployment and reduces human error.
Following these guidelines can help to reduce your risk in the cloud.