As a wave of recent digital transformation= has shown us, improving your company’s business results is tightly related with improving IT. These improvements seek better scale, speed and sophistication of business processes. In many cases, they involve a significant adoption of cloud . Cloud environments bring a wealth of possibilities, but comes with an added cost: it forces organizations to understand how they should adapt security processes for a new technology landscape.
In looking both at broad survey data and in-depth interviews from a variety of organizations, we develop a clear picture of what cloud transformation looks like. As organizations look for agility and scalability, they're not simply moving back-end resources from on-premises or co-located data centers to cloud. Instead, they’re adopting a new prospective of how they deliver IT. Amid this conversation, security is a key concern. As such, security leadership should be consulted with during early planning stages.
Organizations are, on aggregate, using hybrid environments, with significant on-premises resources but also presence in multiple clouds, though individual projects often focus on a single cloud environment. In a recent survey, only 29% of respondents indicated they use a single cloud provider and when segmenting workloads, nearly 50% of respondents indicated that their 'main' provider houses 80-100% of their workloads.
Within organizations, cloud transformation efforts affect multiple teams, including lines of business, general IT and security teams, each having different objectives and constraints. One increasingly common theme is the adoption of DevOps practices, where development and operations professionals collaborate within tighter groups and have fast and frequent feedback loops between them. Another key trend is that these teams are increasingly implemented as multiple, independent work streams within lines of business, forcing central teams, such as security, to support multiple parallel initiatives. This places security teams at a disadvantage, as it's impractical for them to cover security details across the multitude of technologies being used by different teams.
Cloud services providers understand the demands placed on security teams and understand that security is often a barrier to further cloud adoption. One approach that providers have implemented aiming to improve the understanding for security teams is by presenting a delineation of responsibilities under the “shared responsibility model.” These models typically show which responsibilities lie with the customer and which lie with the service provider, but to many customers they introduce uncertainty. Survey results and interviews indicate that more experienced teams understand that key areas such as identity management, including multi-factor authentication, and encryption/key management are key customer responsibilities.
As security teams look to better support cloud transformation projects, there is increased realization that teams need to improve their skillsets around cloud platform expertise and application security. Many organizations have adopted a mindset of creating cloud expertise within their existing team structures rather than creating new teams. This gives them the opportunity to simply include cloud security as one more domain under existing processes such as risk management, incident response and security architecture design. As these organizations seek to address specific requirements of cloud environments, there is increased focus on identity and access management, encryption and key management, and compliance considerations.
For organizations looking to secure their cloud transformation efforts, they're more likely to be successful if they consider a variety of initiatives, at different levels within the organization and across multiple technical and organizational dimensions:
- First, they should acknowledge cloud transformation as a key strategic initiative and properly support it as such. This includes realigning incentives and risk management responsibilities across teams and supporting stakeholders with necessary skills and/or tooling.
- Choosing which projects or applications to migrate should be considered key aspects of the application lifecycle and underlying dependencies.
- It is critical to align collaboration between security and engineering teams to properly communicate plans, timelines and objectives.
- Lastly, at a more tactical level, security teams should work with cloud engineering and architecture teams to implement practices such as threat modeling, as well as work to integrate security controls within the engineering workflows.
The key finding from the surveys and interviews is that securing cloud transformations should be done under existing processes, with efforts directed to improving existing people, processes and technologies. This approach will likely better equip organizations to address current demands and be in a better position to support future changes in scale, technologies or regulatory regimes.
Check out the 451 Research Report: Securing Cloud Transformations and watch on-demand our recent webinar, "Learn from Cloud Transformation Leaders" for more information and detail.