Connect with us

Hi, what are you looking for?


Cloud Security

Moving to the Public Cloud? Security Starts With You

Organizations recognize that the cloud is a key enabler of digital transformation, allowing them to innovate faster, improve business agility, and accelerate time to market. As they reinvent business models and strategies, a growing number are opting for public cloud deployments.

Organizations recognize that the cloud is a key enabler of digital transformation, allowing them to innovate faster, improve business agility, and accelerate time to market. As they reinvent business models and strategies, a growing number are opting for public cloud deployments. In fact, the RightScale 2018 State of the Cloud Report finds that more enterprises are prioritizing public cloud, with 38 percent reporting it is their top priority, up from 29 percent in 2017. 

If your organization is among the growing number moving to the public cloud, it is important to transition securely. Security has much improved over the last several years with cloud providers making significant investments in security technology and services. Now the onus is largely on the customer. According to Gartner, through 2022 at least 95 percent of cloud security failures will be the customer’s fault. That may sound high. But consider these three factors.

1. Security is a partnership. The cloud provider is typically responsible for the security of the cloud, and you are responsible for the security in the cloud. As the consumer and builder of applications that run in the cloud, you need to apply your own security smarts to that environment. For example, each provider brings a set of security capabilities that customers should take advantage of, including a significant amount of telemetry. This can include data about the administrators logged in, events they have undertaken to change the configuration of the environment, activity happening against your public APIs, and other network activity occurring within your environment. This telemetry is in the form of data feeds, not processed security insights. There’s valuable information you don’t want to miss, but making sense of it all can be a challenge. You need to focus your resources on understanding what’s hidden inside these data feeds, or you’ll fall short in your role as a partner.

2. Think also of compliance. Just because you’ve covered your security bases doesn’t mean you’re compliant. Compliance regimes have their own requirements outlined in a controls matrix that you measure against and report on periodically, demonstrating that the controls are working as expected. But when you try to apply a matrix developed for your private data center to the public cloud, the ways certain controls are realized no longer exist. The tools and processes have changed along with the underlying environment. Adding to the challenge, most organizations aren’t just using one public cloud but multiple public clouds. For every public cloud, you need to revisit your controls matrix and redefine how the control will be realized to ensure compliance. 

3. Shadow IT is alive and well. The IT department isn’t the only group engaging in public cloud partnerships. Shadow IT remains prevalent today with business units establishing their own interface with public cloud providers. Often, once they’ve built the applications they need to help the business grow, they’ll turn the relationship over to IT to handle ongoing support, maintenance and, of course, security.  

That Gartner statement is starting to sound more accurate, isn’t it? So, what can you do to mitigate the risk you may be inadvertently introducing to your public cloud deployments?

First, when it comes to security in the public cloud, you actually have an opportunity to do better than in your on-premises environment. That’s because the cloud provider has done the heavy lifting and is presenting you with high-level, normalized telemetry feeds. In most traditional, on-premises environments you’ve probably spent most of your available resources just getting to that point – collecting all the telemetry available from every device, each in its own format, handling format changes with upgrades, normalizing the data, writing correlation algorithms, etc. In a cloud environment, you’re able to start at a higher vantage point. Your priority is to be ready with the tools and processes to help you understand and use that more refined telemetry to improve security.

On the compliance front, tools that operate across public cloud and private data center environments, absorbing variations in telemetry data and formats to present a common interface, can simplify compliance management. For example, to satisfy the NIST standard that requires you understand all the flows that are coming in and going out of your various IT assets, you might build a system capable of collecting Netflow. But public clouds have different flow sources so keeping up is a challenge. A tool that will absorb those variations and give you an understanding of all the flows both in the cloud and on-premise, will minimize the adjustments you have to make as you manage compliance. 

Advertisement. Scroll to continue reading.

Finally, when it comes to dealing with Shadow IT, establishing a healthy dialogue between business units and IT and security owners can break this cycle. Architectural groups and committees that include all key stakeholders and meet on a regular basis help bring decision making and awareness back to a group discussion instead of a rogue set of activities. 

As you make your move to the public cloud remember that security starts with you. There are very specific steps you can take to secure your initiatives in the cloud. It’s empowering and an opportunity to do even better.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.