Blog by Chris Gausden, Arcanum Cyber Security Principal Consultant.
Organisations that haven’t fully migrated to cloud infrastructure and applications must by now be considering it. This has become the standard approach to efficient and resilient business IT services. One of the many fears causing hesitation may be significant changes to the security risk picture, and associated security control capability that forms part of migration to cloud services. Put simply, depending on which cloud provider you choose, there will be invisible security controls they provide for you contractually, and security controls that you must establish and operate for yourself to mitigate business security risk.
Helpfully, most enterprise cloud providers will give you access to the tools you need to establish and operate most of the security controls that are your responsibility. Security risk management principles have not changed, it is just that you now need to trust in your cloud provider, and confirm the contractual security responsibilities they have agreed to operate to protect your business IT, at whatever level of service you have contracted with them. The trick is to understand exactly what you can rely on your cloud service provider to do (from the level of service purchased and detailed in the contract), and what you need to do to protect critical business assets.
Generally, you can assume that you have outsourced infrastructure provision and support (secure config/patching/monitoring etc), and even some applications/functions, all kept logically separate from your business data/assets. Logical separation between infrastructure support and business assets can normally be enhanced further by using encryption/keys in your control. Security of most bespoke application architecture, user and privileged access control and data security rests with you.
MS cloud services for example publish details of security provision as part of their services [1]. When you contract to use MS cloud services (Azure AD and MS 365 SaaS etc), there are a number of security technologies built in to the cloud service that you can licence, and use to protect your business assets [2].
Microsoft will normally help you establish and configure the various security tools through web resources or via their gold partner scheme. All you need to do is add resource to operate them and give them a business risk focus.
So, what has really changed from the old in house/on prem model in terms of risk?
It is now a matter of trusting a larger and more resilient global organisation who, via your cloud contract and agreed SLAs with them, will host your business architecture, provide your infrastructure, some of your applications and provide support almost invisibly. You just need to recognise where their responsibility for security support to you ends and yours must begin.
Contractually, there are multiple hosting options you can select from, including hosting within specific geographies/hosting environments. Most cloud providers freely publish details of the security controls they have put in place, to minimise the risks to the elements of the business architecture and infrastructure that are contractually their responsibility.
Some of the more asset centric security functions still rest with you, aided by a number of security services/toolsets, including some of the built-in security tools provided. However, if your risk tolerance really does not allow you to trust a cloud services delivery partner and accept the residual risks of operating this way, then clearly the risks/benefits of cloud services still may not be for you?
How Arcanum Will Help
As a vendor agnostic security consultancy, we can provide your organisation with trusted, independent advice and guidance. Our consultants can support you to enable a successful migration to the cloud, without compromising security.
For more information, get in touch by calling: 01558 669140 or alternatively email: marie.caruso@arcanum-cyber.com
Sources: