Craig Burland, CISO, Inversion6
Cloud’s booming voice, amazing light show and smoke fill the room. “Faster! More agile! Cheaper! Business aligned! Strategic! I have the answers to all your technology questions. Imagine if you didn’t spend time managing your infrastructure, you could achieve it all!”
From the start of the cloud conversation, it should have been clear that there was something hiding behind the curtain. Like the great and mighty Oz, the cloud has its secrets. It’s not really magic.
Disappointing, but not surprising.
Regardless of material ratio [Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS)] For a cloud cocktail like ½ SaaS, ¼ IaaS, ¼ PaaS, giving up infrastructure is not a panacea. It doesn’t make obsolete applications disappear, or immediately fix poor sanitation practices, or waive security or compliance governance. It doesn’t suddenly make users cybersmart. And without a thorough understanding and diligent focus on how to use it, it’s not cheap. The cloud is literally just someone else’s data center.
Smart organizations recognize this reality and join the conversation with their eyes wide open to understand that moving to the cloud is a trade, not a benefit. Smart cybersecurity leaders should seize the opportunity to use the cloud as a greenfield. Adhere to principles such as “secure from the start” and “proactive, data-driven governance” to build solutions that are more scalable, flexible, secure and cost-effective than alternative solutions.
Focusing specifically on the challenges of cloud infrastructure transformation, the lack of governance with cybersecurity subplots is apparent. Interestingly, these problems are not new. The same exists for on-premise architectures. They just present themselves differently when planning a pivot to the cloud. Let’s tackle these challenges one at a time.
Application obsolescence is a failure of lifecycle management. Outdated applications on-premise create sets of skills that cannot be upgraded, support teams that cannot evolve standards, and dramatically increase risk. The cloud doesn’t solve these problems, but it brings the lifecycle conversation to the fore. Deprecated applications cannot be moved to the cloud. If your business wants increased performance and agility, you need to upgrade. Businesses need an upgrade to avoid being on the wrong side of their IT strategy. Cyber leaders need to double down on one-time changes to establish discipline around keeping solution components supported so that they don’t make the same mistakes again.
Poor technical sanitation results in vulnerability and ignorance of the risks posed by misprioritization. Poor hygiene isn’t an “in-house problem”, it’s a people and process problem. The cloud’s hosting infrastructure does not automatically address vulnerability and patch management. Sanitation can be just as easily ignored in cloud workloads as it is in on-premises. The cloud provides automation and visibility that on-premise environments may lack, but requires other elements to run. Processes such as scheduling maintenance windows, validating applications after patching, and communicating with customers still require resources. Cloud transformation efforts open a window for cyber leaders to build effective vulnerability and patch management processes while reducing legacy roadblocks.
Security and compliance are still the most misunderstood aspects of the cloud. Cloud Service Providers (CSPs) operate under a model called the “Shared Responsibility Model”. In short, it protects what you bring to the table: data centers, hardware, core networks. Organizations need to protect everything else. Data, access, virtual servers, applications, identities, everything. This is the customer’s responsibility. CSPs provide tools to help with security, but do not enable, configure, or maintain them. To make matters worse, most security platforms implemented on-premise are generally not extensible to the cloud. Security teams must learn new tools and develop new processes to secure the cloud. Almost every day there are reports of cloud compromises with hackers targeting poorly managed SaaS platforms or exploiting unprotected storage buckets. It is also the organization’s responsibility to address regulatory violations for data lost in these incidents.
The final area of cloud governance is cost. While not usually part of cybersecurity, controlling operational costs is part of every leader’s role. The limited amount of licenses, hardware, and rack space on-premise limits the speed and control costs of scaling. The cloud removes those governors to keep your business running at full speed. Without strong financial controls and an accurate cost-allocation model, new workloads will sprout like dandelions. Leaving these assets unattended can lead to serious budget disruptions. An article dating back to 2021 discusses the potential for organizations to overspend their cloud budgets if there is no upfront planning to build structured processes in place. Recent studies show that these predictions are coming true. Greater planning and governance to ensure savings may win out if the arguments for life cycle, sanitation and security are not convincing.
Broadly speaking, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) deliver the same promises but hide the same concerns. Obsolescence and sanitation are not issues with SaaS, but security and compliance are definitely issues. SaaS administrators who need to support their businesses quickly rarely understand cybersecurity or receive adequate security training before taking responsibility for Internet-facing applications. PaaS platforms partially mitigate obsolescence and sanitation risks by wrapping the lower layers of the application as services, but do nothing to manage the state of the custom code itself. An unpatched and unmonitored Ruby on Rails installation running on over-provisioned workloads can easily bring down a house.
As Dorothy, Lion, Scarecrow and Tin Man learned (the hard way), we can’t hope for a better world. It takes strong will, extraordinary courage, and practical intelligence to successfully walk that path and learn lessons along the way. Migration to the cloud offers tremendous potential—speed, agility, and strategic support—but only if you understand the trade-offs and take the time to make the most of the opportunities.
About the author
Craig Burland is the CISO of Inversion6. Craig brings decades of relevant industry experience to Inversion6, including most recently a role leading information security operations at a Fortune 200 company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Committee member of Solutionary MSSP, NTT Globhttp://www.inversion6.comal Security, and Oracle Web Center. Craig can be reached online at: LinkedIn and on our website http://www.inversion6.com.