All indications suggest organizations' adoption of the cloud is going to ramp up considerably in the next few years. According to Cisco's Global Cloud Index: Forecast and Methodology (2016–2021) white paper, cloud data centers will process 94 percent of workloads and compute instances by 2021. Close to three-quarters of those resources will be Software-as-a-Service (SaaS) assets processed in the public cloud. Global digital security strategist Ian Trump thinks these trends suggest the world is moving away from on-premise and private cloud data centers. Trump believes those developments could profoundly change how businesses deliver their services and how security teams work to protect those services. For that reason, he recommends companies seriously consider migrating to the cloud if they haven't done so already:
"A great shakeout in the tech industry is coming. If your business can’t afford to move to public cloud SaaS from its existing systems, a scrappy cloud startup is going to take your lunch money on the playground. For those in the current security space, adapt to this SaaS trend or become irrelevant to business," warns Trump.
Of course, organizations can't just pick up and move all their IT resources to the cloud. They need to keep a few security concerns in mind if they decide to migrate. First and foremost, companies need to figure out what type of deployment model will work best for them. "I'm an advocate of migrating to the cloud and the intrinsic of having improvements in security and compliance driven by multiple other clients, but this doesn't mean you can set it and forget it," explains Matthew Pascucci, Cyber Security Practice Manager at CCSI. "When migrating to the cloud, the deployment model is important to understand first. Will you be in a private, public, SaaS, or PaaS infrastructure? Understanding this will allow organizations to get a better feel for where their risks lie," Pascucci says. Companies must then formulate a security strategy for the applications and other assets that they'll actively deploy in the cloud. Whitney Champion, a Senior Systems Architect, feels organizations need to go through this assessment by asking themselves if they intend to review their code and how regularly they'll do so, how they'll set up networks, and what operating systems they'll use. According to Champion, doing so can further elevate organizations' awareness of the issues involved with cloud migration:
"It is crucial to be aware that not every cloud provider is the same, and many of these processes will be implemented differently across different platforms. Each organization needs to be mindful of these requirements and perform their due diligence to be prepared for the implications of moving any of their systems to the cloud," she says.
Once companies have figured out what they want out of their cloud environment, it's time for them to begin looking for a cloud service provider (CSP) that meets their needs. Digital security specialist Zoe Rose thinks companies should choose their CSP carefully. That's especially the case if they're looking to host sensitive data in the cloud. "The cloud is simply computers someone else has ownership of and maintains," Rose notes.
"If information is highly sensitive, you will want to review contractual requirements on security, patch management, and reporting of incidents for the third-party hosting company along with your agreed requirements with the data owners," added Rose.
At this point in the migration response, it's important to remember that signing a contract doesn't mark the end of an organization's responsibility for their cloud-based data. Under the Shared Responsibility Model, CSPs are responsible only for ensuring security of the cloud, or the infrastructure which supports their cloud computing services. Organizations are still responsible for security in the cloud, or the process of taking adequate measures to protect their data. According to Ean Meyer, security controls for the cloud should factor into companies' strategies for how to defend their cloud-based data against digital attackers. "All too often, companies taking their first steps into the cloud make the mistake of believing security will be completely handled by their cloud hosting provider. Don’t make this mistake," says Meyer.
"Take time to evaluate your current controls and look at how to enable them in your cloud instances. Once you have your existing controls in place, look at what additional controls cloud deployments can offer. Cloud systems often offer security features that many organizations couldn’t deploy on-premise. If you keep these things in mind when you start to migrate to the cloud, you will be well on your way to making the right security decisions," suggests Meyer.
Stay tuned for a future post that explores these security controls for the cloud in detail. In the meantime, you can learn more about how to securely migrate your organization's IT resources to the cloud by downloading this e-book.