As with many of my CISO colleagues, our businesses have been moving (sometimes slowly and sometimes very quickly) to the cloud. We see constant introduction of new SaaS applications and utilization of PaaS and IaaS services from Amazon, Microsoft, and others. At first the security teams pushed back on the use of Cloud but the IT teams and the business saw financial and productivity benefits in using cloud services. Security departments had to figure out how to secure these services. While many security professionals didn’t agree with the direction of the business, it was our job to secure it no matter which way it was moving. There was a feeling among security professionals that we were always playing catch up. We had a paradigm of security when all was inside our network that we are adjusting to include the cloud. Is it time to think differently?
If you were starting your business today, what would your IT environment look like? Would you have your own IT systems? Would you be running internal email? Would you even have an internal network? I think for most businesses the answers to the above would be no. All of your systems would be built and run in public cloud infrastructure. Email, storage, collaboration, and instant message services would be provided by the likes of Microsoft and Google. Internal networks would just be local LANs with internet access. No network backbone is needed. And, would you provide the end users with laptops or just let them use their own?
Protecting an environment like this would require multiple layers of security. Let’s start with the endpoint. Strong anti-malware protection, DLP protection, and vulnerability, configuration, and patch management are required to keep the endpoints secure. These endpoints are all directly on the Internet with no network level protections and need to protect themselves. We have these users today with our sales people and when people work from home or the airport or the hotel. In this new environment, it is all of our users.
"Having a central, cloud based identity management tool integrated with a SAML based Single Sign-On tool will help secure the ‘New Perimeter’"
“Identity is the new perimeter.” We have been hearing this for years now and in this environment it is paramount. With the Internet being your new corporate network every application, server, and service needs to thoroughly identify the connection and access requests—and passwords are not good enough. In the old paradigm accessing the corporate network required either a physical network connection or VPN access utilizing multi- factor authentication. With all assets being directly on the internet each individual application, server, and service needs to require multi-factor authentication.
Also inherent in implementing “Identity is the new perimeter” is the management of users and user accounts. Each person should have 1 identity and that identity should be utilized across all of the assets. If a user leaves your company then all applications, servers, and services should know immediately that the user is no longer permitted to have access. Having a central, cloud based identity management tool integrated with a SAML based Single Sign-On tool will help secure the “New Perimeter”.
In this new paradigm, your business is utilizing SaaS applications and internally written applications running IaaS and PaaS in the public cloud. In both of these situations you will be depending on the service provider for much of the security and you need to do your homework. SaaS providers should provide you with independent reviews or audits that show proper security controls are in place and that the application is free of vulnerabilities. A SaaS service that is SOC 2 Type 2 Compliant indicates that the service follows secure practices. A clean third party penetration test and vulnerability scan shows that the application is free of known vulnerabilities.
Many SaaS applications provide you with the ability to configure the application to your liking. Ensuring that the application is configured correctly and securely is critical and is something that your security team should do.
Speaking of secure configurations, most of the primary public cloud providers of IaaS and PaaS services have sufficient certifications to show secure practices. However, these certifications show that the IaaS and PaaS services themselves are secured. It is very possible to use these services in an unsecured way. It is very important to use the features provided to create secure applications in secure network segments just as you would if you hosted these applications yourself.
Your end users will be working directly on the internet. Keeping them safe when web surfing is a critical function that cannot be overlooked. In the old paradigm we used on-premise proxy servers to protect the users. In this new paradigm, a cloud based proxy type service should be used. These can also help enforce HR and business policies for acceptable web content.
The security controls in this paradigm are very similar to those we have been using for years. The difference is, we are using the cloud to secure the cloud. And since the business is moving quickly to the cloud, it only makes sense that security should do the same.