Keep Calm And Cloud On: Migrating Complete Environments To The Cloud In Stormy Skies

December 4th, 2017   |     |  security & compliance

As the cloud matures, businesses have started warming up to the notion that their data can be as secure, if not more so, in a cloud environment than by using on-premise solutions. However, that doesn’t mean cloud migrations are without security risks.

While organizations take great pains to ensure their cloud providers are following best security practices, they often fail to adhere to these same procedures when migrating their applications and infrastructure. Businesses must take a two-pronged approach to preventing and correcting security oversights during their cloud transition, focusing both on better training and awareness as well as technical controls. Only with the right combination of policies and tools can organizations and their employees securely move into the cloud.

Hardware-Based Risks Can Still Be An Issue

When shadow IT first entered the corporate lexicon, IT professionals used the term to refer to unauthorized hardware operating in their business environment, from unsanctioned personal devices to undocumented switches and networking devices. Over time, shadow IT shifted from hardware to software, especially software-as-a-service applications.

Whenever employees felt weighed down by the lack of a critical feature (or simply preferred a solution of their choice), they would use their own tools under the radar. Lacking official standards or enterprise-grade authentication, businesses were exposed to any number of unknown risks these apps would bring to the company.

Many businesses still continue to struggle with software-based shadow IT, but the tides are turning back toward “hardware-based” risks. While employees have mostly moved beyond surreptitiously bringing new hardware into the office, they are effectively recreating the same vulnerabilities via cloud-based infrastructure by setting up unsecured servers.

This might be done intentionally because they are trying to avoid what they perceive as onerous security controls as well as unintentionally because the operations team is not aware these servers exist, so they are not applying the standard security controls to them.

The ease with which department leaders — or any employee with a company credit card or expense account — can purchase and set up new virtual machines has minimized their reliance on the IT department, but it has done little to improve their understanding of security. In scenarios like this, security is far from the only problem; without a centralized management structure for your organization’s virtual machines, costs could quickly spin out of control as IT efforts are duplicated across teams.

Managing Identities, Not Hardware

IT professionals have traditionally focused on managing hardware, not users. Within an on-premise paradigm, this makes complete sense: Your organization knows what hardware it owns, and the IT department knows how to maintain and secure it.

As organizations move their infrastructure and applications to the cloud, IT no longer has total visibility into what endpoints they control. For instance, an internal developer could easily set up a production machine that IT has no knowledge of, leaving that endpoint in the dark and unsecured.

Organizations must focus on managing employee identities across services, making it easier for employees to request access and assistance to new features while keeping IT in the loop. Your organization’s identity management platform should allow your company to control employee access at multiple levels, both by endpoint and by privilege. Crucially, this platform must seamlessly integrate within a multi-cloud environment rather than locking your organization into a small list of supported vendors.

IT departments need to also rethink the way they manage end users. Rather than focusing on a user’s system access to set privileges, they need to work more closely with HR to make employee roles the foundation for access. A developer will need access to different systems more so than a marketer or accountant. Setting permissions on a per-system rather than a per-employee basis leaves endpoint security in the hands of employees rather than IT professionals. This is not a new innovative approach, but a pretty classic access strategy that sometimes gets lost due to system limitations or the time it takes to properly plan and implement.

Maintaining Visibility Throughout The Cloud Transition

Organizations can’t afford to lose visibility of their vital infrastructure during their cloud transition journey, and employees can’t be expected to master security across a variety of evolving systems.

Rather than allowing your company’s digital transformation to devolve into a disorganized scramble, place identity at the center of your organization’s cloud migration strategy by adopting a centralized employee identity management solution. This allows you to control who has access to key systems as well as oversee operational risks such as the spinning up of unsecured servers.

About the Author

Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

View all posts by Alvaro Hoyos

Secure All Your Apps, Users, and Devices