Marc Ashworth CISSP, CISM, CRISC, Senior VP – Chief Information Security Officer, First Bank
The past year has taught us that even the most rigid businesses can be flexible. A pandemic like Covid-19 can do that to a company. Much of the office staff, IT, engineering and executives all working remotely has shown that efficiencies can take place in a remote working environment. As the pandemic begins to subside and vaccinations increase, companies are evaluating their return to work strategies. A long-term remote strategy is in consideration for many companies.
Part of the strategy is the need for office space and dedicated space for servers and storage. Many systems are another year older now; therefore this may be a good time to evaluate moving to the cloud. Rather than investing in new hardware that you may no longer have physical location for due to reduced office space. Times of hardware replacements are the best times to determine strategic shifts. Whether it is for the cloud, virtual desktops, SASE, or even software defined networking may have a reasonable ROI when the timing is right. Other factors such as a reduced need for office space and difficulty in finding technical personnel to support the equipment may be another factor to shift to the cloud.
As long-term remote work strategies become more realistic the adoption of cloud technologies from AWS, Azure and GCS will increase. Likewise, I would expect an increase in shared data center spaces to take place.
A simple checkbox can be the difference between secure data or exposed for all to see and ending up on the nightly news for a breach
The shift to the cloud will have its challenges in part due to current IT staff obtaining the knowledge to safely running those systems in those new environments. Availability of experienced resources are limited and very expensive at this time. Therefore, finding a trusted partner for the platform of choice will be the best option. Providing training and encourage certifications to existing IT and security staff will be necessary and will help them grow and stay updated. Keep in mind that with that growth comes at a cost due to your team becoming more valuable and very sought after. This increase in salaries and training must be factored into the budget.
Making any investment in the cloud by either development or IT teams should have a strong partnership with the company’s security team. In fact, I would argue that the security team should own the cloud move. It is a great time to rethink security and how things are done in the organization. Just like any connection that is done on premise that connects to the internet there is an increase in risk with that system. The cloud configurations are no different. A simple checkbox can be the difference between secure data or exposed for all to see and ending up on the nightly news for a breach. Having the security team setup the cloud environment in a secure state with proper monitoring and automation will help reduce the risk when other teams begin to create objects in the cloud environment.
We have seen time and time again, that leaked databases and files out on the cloud was not due to the cloud provider but instead misconfiguration by the company that owned the data. Constant review and strict procedures must be developed to reduce the risk of a misconfiguration. Just in time credentials with MFA should be used to make sure that no one has default privileged access. The risk of credential stuffing is too high with billions of credentials available on the internet. Any sort of access to the cloud environment must have MFA turned on with least privilege access principles in effect.
The move to the cloud and co-location data centers can be an exciting time for IT and security staff. It provides a time to architect the legacy environment into modern day best practices or adopting concepts such as Zero Trust. The project can be stressful, but very rewarding to the teams when done correctly. It can allow the staff and executives sleep a little better knowing that your company’s data is running faster and safer.