How to address the security risks of cloud migration [Q&A]
Cloud is an enabler of productivity and provides the infrastructure which supports modern distributed workforces. But it also poses a serious security risk to businesses that are unprepared to cope with modern threats. Figures from 451 Research show that 40 percent of organizations have experienced a cloud-based data breach in the past 12 months.
Organizations are spending millions on firewalls, endpoint protection and other security measures. What these organizations are missing, however, is visibility and control of security policies that govern 'what can talk to what' and 'who can talk to who' across the entire organizational infrastructure, including on-premise, cloud-native, and hybrid cloud. This creates security blind spots and misconfigurations.
We spoke to Nick Lowe, VP EMEA at Tufin, to find out how the benefits of cloud migration can be realized without creating security issues by leveraging a policy-based, automated approach to network security management.
BN: What are the risks of cloud migration?
NL: There is no doubting the incredible power of cloud technology, which offers abilities that can seem almost limitless. But this lack of limits also poses a security risk. Fast-paced cloud migration has the potential to create complexity that can quickly become unmanageable. In the cloud, resources and applications can be spun up and spun down automatically without security teams even knowing they exist. Which means they are less likely to be secure.
The sheer volume of data generated by a large organization makes it extremely difficult for policies to be set and maintained across a large, sprawling data estate. The cloud will scale up automatically to meet demand and split up storage and resources, but it can be difficult to assess basic security details like, for instance, which storage bucket is linked to which application. The overexposure caused by rapid cloud activity means that many small problems combine to form a major security risk.
BN: How can organizations regain control of the cloud?
NL: When securing a cloud or hybrid environment, it is fundamentally important to apply consistent network security policies which work across a dynamic, ever-changing infrastructure. An organization's security is only as good as the policies that it defines and enforces.
Network security policies help govern who (and what) can access data and assets and orchestrates the behavior of critical parts of the infrastructure such as firewalls, routers and cloud security groups. If the policies are correct and applied across both on-premises and cloud, then security problems can be minimized and mitigated. However, the nature of the cloud can make creating and enforcing network security policies very difficult.
BN: How should organizations apply security policies?
NL: The nature of the cloud can militate against the consistent setting of policies. The cloud is elastic, allowing cloud assets, services, and workloads to scale up and down as needed via CI/CD automation processes. But when developers are spinning up applications or resources at speed, they may not apply the correct network security policies -- which means their creations are vulnerable to attack or compromise.
And because of the prominence of DevOps/GitOps processes in cloud computing, network security teams are often abstracted from the process, resulting in no visibility into cloud network security. Too often, security flaws are only noticed once an application is ready for prime time and promoted to production. This sets back the development schedule because the problems must be fixed.
BN: How can organizations regain control of their security policies?
NL: Realistically, there is no manual way of designing and establishing security policies across a vast hybrid cloud estate. It is simply impractical due to the vast proliferation of users, data, assets, applications and everything else that exists in the cloud. Automation is key, allowing policies to be set centrally and then applied automatically without human involvement.
When organizations use automation to manage policies, CISOs can take control and 'own' the security of the hybrid cloud whilst being reassured that their rules will be set and followed consistently.
BN: Why can policies not be controlled manually?
NL: Traditionally, organizations took a manual approach to managing policies -- which is understandable. It is relatively straightforward to lock down on-prem infrastructure because the addition of new resources required the installation of new hardware. If a network team is asked for a new server, they will go out and buy it, and apply the appropriate security policies before putting the new hardware into action. This is not the way cloud works. In an environment where developers can simply spin resources up and down whenever they want, the same scrutiny cannot be applied and organizations risk losing control of their policies.
There is a great opportunity for DevOps and security teams to work together in a way which enhances their work. Security policy should be incorporated directly into the CI/CD pipeline so that everything that is created by developers has policies and permissions incorporated right at the beginning of the process. Trying to do this manually or after an application has been built is a losing game unless automation is involved.
But by involving security teams (or at least incorporating security policies) at the beginning of the development process, issues can be addressed before they turn into problems.
BN: Are there any non-security benefits to implementing policies using automation?
NL: Absolutely. When policies are set centrally and then applied across the organization, continuous compliance can be achieved. When automation is involved and there is a solution which ensures visibility across an entire hybrid network, an audit trail of changes and approvals can be created. This helps with external and internal audits, as well as making sure that rules applied across the cloud environment adhere to regulations.
A solution that manages policies should also be able to audit approvals, exceptions, changes and compliance. Ultimately, automation is here to enhance the work of humans and make them more productive. When it comes to network security policies and compliance, automation can free organizations from the stress of worrying about securing a rapidly growing estate, simultaneously giving them confidence that the cloud is working at its best without creating the security issues that often accompany rapid migration.