As previously discussed in part one, cloud services are a fact of life in most organizations today – whether you know it or not. When attempting to address this problem today there are three main areas where you should focus your efforts.
Reduce Your Exposure
First, you want to try and reduce the organization’s overall exposure when it comes to using cloud services.
A solid first action is to inventory the number and type of services currently in use. To do this, you should enlist a combination of technology and old fashioned methods (a/k/a asking teams what they are using).
With a better idea of your current systems, you can then start working with the teams throughout the organization to ensure that they are aware of the risks and security challenges associated with the services they use.
An ongoing discussion and education campaign is a pillar of the good security practices and critical to address the issue of multi-service use.
These discussions will also help inform your internal security policies. A strong, realistic policy will help establish a baseline for all stakeholders. It lays out the norms for your organization and acts as a standard to compare against for any new business initiatives.
Above all, the responsiveness of your internal IT services is instrumental in reducing your overall exposure. Many teams don’t want to go against policy or organizational standards, but don’t have a choice when internal service delivery is unresponsive.
As exposure is inventoried and scaled back (hopefully), your next step should be to implement a robust monitoring practice. This will require a lot of initial work with an ongoing effort. The variety of services and security controls applied to those services creates a unique challenge for each organization.
In general, you want to start with the lowest common denominator for monitoring (access logs, basic API access, network traffic, etc.). Where possible, these should be tied to business metrics and risk. For example, knowing that a business unit’s use of a cloud storage service is increasing week over week is a good monitoring metric (GB used) tied to a business risk (the exposure of that data on a 3rd party service).
Due to the nature of the problem, the best approach is a lot of spit, glue, and hope. This step requires a lot of manual effort but is crucial to being able to answer the deceptively simple questions, “Where is the organization’s data stored?” and “What’s it exposure?”.
Smart Service Choices
With time, your monitoring practice will mature, and you’ll grow to have a better understanding of your business requirements.
The lessons you learn should be applied to selecting cloud services that align with your business needs as well as your security strategy and tactics.
The organization should select services that allow you to easily get data in and out, provide support for standard APIs (or at least logical and well supported APIS), and have a strong reputation for services and security.
Choosing a provider based on these attributes will go a long way in ensuring that you have a consistent approach to onboarding new cloud services.
Constant Learning and Improvement
Building a coherent security practice for organizations using multiple cloud services is a challenge today and will continue to be a challenge for the foreseeable future.
The most efficient way to address this challenge is to focus on:
These three areas create a solid foundation for any security practice. This will allow you to adapt and grow as the strategy for cloud security evolves, more and more services support standard APIs, and security technologies continue to provide innovative solutions that better address the new reality of modern IT service delivery.
How is your organization tackling the problem of defending multiple service types? Let me know in the comments below or on Twitter (where I’m @marknca).