It should go without saying that many, if not most, companies have had to make some changes in the last 18 months. In an era when most facets of life are marked by a pandemic, remote-first culture, the ideology of having employees work from home, has had widespread adoption. In order for this to work, employees need access to data and work files from wherever they are working. This has led many companies to either adopt, or increase, working from the cloud. Whether or not this was the case previously, there are many reasons a company should not rush into it without a strategy and some specific considerations.
High profile cyber attacks have drawn much attention during the first half of 2021, including breaches on Volkswagen, McDonald’s, T-Mobile, and the Colonial Pipeline, just to name a few. It’s increasingly apparent that when today’s bad actors get leverage over enterprise level networks or critical infrastructure, there’s little companies can do but cave to their demands or just take the hit.
On a recent episode of Fiberside Chat with 3-GIS, host Daniel Litwin speaks with Damion Harrylal, 3-GIS Solutions Engineer, and Keith Mokris, Director of Product Marketing for Prisma Cloud at Palo Alto Networks, to discuss key factors companies should consider when moving to the cloud and the best way to ensure optimal security in doing so.
A lot of companies who adopted the cloud prior to the pandemic have already been through the pitfalls, learned from mistakes, and maximized security. However, as many new companies have entered into this space recently, they’ve been confronted with a problem of choice (too much in this case), a lack of thought-out strategy, and a host of issues resulting from a hasty implementation.
Nonetheless, moving to the cloud offers many appealing benefits: there is a low-barrier of entry for many companies, including low-cost solutions, the lift-and-shift is relatively easy to deploy and manage, and most importantly, the cloud offers scalability without significant increase in maintenance and cost.
“The cloud is incredibly secure if you’re just looking at what the cloud service providers are delivering to their customers,” Mokris said. “But, when you look at how organizations or telcos are using the cloud, that’s when you might evaluate organizations based on their maturity and how they’re looking at the security of their applications and environments.”
So, what do companies need to do when they are looking at cloud solutions? Harrylal discussed five key pillars when choosing a cloud solution:
- Preparation and strategy
- Identity Access Management
- Detection
- Response
- Audits and improvement
Preparation and strategy seems like it could go without saying, but many companies entering into the cloud environment treat security like an afterthought. But it is much better to include security architecture from day one in order to reduce long-term technical debt and mitigate security risks. Companies should employ a security model to identify clearly who is responsible for what and when, as well as, have an understanding of the shared responsibility between them and the cloud service provider.
A common shared responsibility model typically involves the provider handling the physical security and access of the network and the customer ensuring that they employ proper configuration and use best practices in their organization.
Identity Access Management is a big one. One of the best features of cloud applications is that you can control access with precision. Mokris mentions that it’s a good practice for organizations to perform audits to ensure users have the least privileged access they need to perform. Two-factor authentication (2FA) is another tool to help increase security of access.
Detection is also critical. An inevitability, like death and taxes, is that bad actors will put your network security to the test at some point. If you don’t have protocols and tools in place to detect these attacks, you can be vulnerable to security breaches. And, when you are attacked, the earlier you know about it, the better you can respond. It is also of note to know that not every attacker wants to hold your data for ransom or steal your company secrets. In a lot of cases, bad actors just want to hijack your cloud system’s computing resources to mine for cryptocurrencies, for example. If you can’t detect their presence, then you may be unwittingly sacrificing your organization’s resources.
Contingent upon the failure of any of the previous pillars, companies need a Response Plan. This should be a part of your security model, as well as baked into the entire cloud strategy. What happens when there is a breach? Who is responsible for what? Again, it is much better to think about this ahead of when you need to make decisions after detecting an attack.
System audits and improvements are good preventive measures to detect vulnerabilities and improve system security. While many companies put the least amount of resources into this pillar, it is one that can pay many dividends down the line by reducing technical debt.
What are some of the primary consequences that companies face if they do not embrace cloud solutions?
- Lack of scalability
- Increased costs and risks to physical network
- Increased time to market
Each of these three scenarios can have a significant impact on a company’s resources and ability to address opportunities. In today’s high-speed business world, many can’t afford to miss out on striking when the iron is hot.
A few final tips for those entering the cloud space are, for one, to ensure a smooth transition of organizational culture embracing the move. IT personnel who are acclimated to being on top of their data centers like a helicopter parent over their children at the park will need to adjust to the new shared responsibility model of cloud networks. In addition, organizations need to really weigh the benefits and risks against their long term business strategy. In the long run, it will likely become a necessity for companies to embrace having their data in the cloud in order to survive the fast-paced environment of today’s business world.
Listen online here or download the episode from iTunes or Spotify.