Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).
Digital transformation is a catalyst for businesses to unlock benefits such as reduced ongoing costs, granular customer insights, targeted messaging techniques, scalability, quick turnaround times and faster ROI. However, each company has its unique needs and what their transformation journey would look like depends on their end goals. Given the growing need for flexibility and agility, it’s no surprise why businesses are moving their servers and applications to managed service environments or public clouds.
According to IDC, the hybrid cloud workload security market is forecast to grow at a rate of 19% by 2025. The multitude of benefits also brings a whole new set of security vulnerabilities and risks. Have a short chat with the project manager handling your transformation process, and you'll quickly discover transitioning to the cloud is anything but straightforward. After all, you don’t want a hacker mining cryptocurrency on your server or tampering with your critical business data.
Security needs to be at the centre of your cloud migration strategy
To properly defend your evolving digital infrastructure, your approach towards security and the culture of IT teams will need to change. In addition to firewalls and virtual private networks (VPN), you will need advanced security tools to protect your off-premises applications and servers while upskilling your team for the cloud. This change in approach calls for new security checkpoints and tighter control on the infrastructure. Another challenge is to catch up with the speed of transformation and be able to add security checkpoints on the fly. Every time you integrate a new application or introduce a new digital process, there’s also a new cybersecurity risk which needs to be accounted for.
The solution is to cultivate a community of security-savvy professionals within your organisation and align them with your operational processes. Similarly, your cybersecurity checkpoints at the application level need to align and coordinate with human checkpoints across functions to ensure a secure, seamless and robust digital infrastructure transformation.
The cloud security paralysis
Cloud adoption is one of the essential components of your digital transformation journey. It is the fabric that holds your infrastructure together. But how to implement the transformation is often a hotly debated issue. Many of our customers struggle to prioritise the migration of their key applications to the cloud. To add to the challenge, security features vary from vendor to vendor, so ensuring security becomes challenging when you’re transitioning to a multi-cloud environment.
In practice, the security tools of each cloud solution typically work in silos, resulting in wildly varying levels of security across the organisation’s 'cloud stack’. This inconsistency in protection levels can lead to a kind of ‘security paralysis’, making your organisation’s infrastructure vulnerable to threats.
Hybrid cloud or multi-cloud environments and remote work arrangements are also driving the need for more security checkpoints. Your cloud service provider and IT team have a shared responsibility towards cloud solution security.
Cloud service providers have a responsibility to ensure security at their end – they use essential security tools to protect their data centres and virtualisation platforms against malware and physical security. They typically have cloud security posture management (CSPM) tools which constantly monitors configuration errors, which can cause security threats and mitigates them. But that’s about as far as they can go.
Ensuring safe and secure access to applications hosted on the cloud becomes a shared responsibility. At your end, you are responsible for securing application access, configurations and permissions for all applications you host in the cloud. Without a plan to safely migrate your core applications to the cloud, you’re opening yourself up to a lot of unnecessary cyber risk.
The first step is to conduct a thorough analysis of your application portfolio to understand the dependency of each application and classify them as easy, moderately complex, and difficult to move. Then it’s the Project Manager's job to get the migration done. Let's see how we can address the gaps in security that are likely to occur in a cloud migration process.
Application-level security checkpoints are the way to go
Traditionally, access to the network was widely used as the main security checkpoint. There was a lack of application-level checkpoints, which meant that once hackers got into the network, it was easy for them to launch phishing, DDoS, ransomware and other such attacks.
The rise of complex, interconnected DevOps applications made security even more complicated. Network security is no longer enough; the applications themselves need to be secured.
Modular development was the gift of DevOps — it sped up the development process, performance, agility and scalability of applications. But security often took a back seat in the process.
Today, most applications are built by compiling pre-made APIs and microservices. That means any unknown vulnerabilities in those APIs or microservices will likely be carried over into the application itself. In fact, multiple applications could be using the same APIs and microservices. Imagine the domino effect even one compromised node can have across this complex map of interconnected applications. Malicious actors are aware of this, which is why API attacks are expected to become one of the most common attack vectors in the near future.
That’s why it’s so important to use tighter security checkpoints at the granular level. Application layer security checkpoints are the way to do this. They provide visibility into application infrastructure, user activity, sensitive data, and device authentication.
The solution comes in the form of web application and API protection (WAAP) services. WAAP services allow inter-application level security checkpoints to safeguard your applications against phishing, bot, DDoS attacks.
Your to-do list for a holistic, security-first approach to cloud migration
While it can be challenging, having a security-centric approach for cloud migration will save you a lot of time and heartache. By following this list, you’ll reduce the need to go back and conduct security audits or process overhauls post-migration. Let’s get into it.
Configure your applications: When implementing applications, outline what normal user behaviour should look like and look for vulnerabilities to combat. Next, explore the security features offered by your cloud platform and make sure security settings are configured correctly. Factor in WAAP and develop the capability to manage bots and DDoS attacks. Use any existing analytics capability to monitor user activity and generate insights. Set automated security triggers in case of threat detection. If you have a large data pool, you can leverage machine learning algorithms to identify and eliminate risks in real-time.
Only use whitelisted applications: Make sure your organisation only uses applications that have proven security features and are compliant with security standards. Compile a list of whitelisted applications that meet your security criteria and ensure only those are used by your organisation.
Set up user permissions: Your cloud vendor is responsible for most security checkpoints; however, you control critical identity and permission checkpoints. The onus is on you to responsibly grant access to approved users only.
Ensure multi-cloud security coverage: Identify and address gaps in the protection offered by multiple cloud providers. Insist on baseline security standards for any digital infrastructure, both internally and from your cloud service providers. Consistency in security is essential. This may require you to establish formal cybersecurity policies for working with third parties.
Break the Silos
Built-in cloud security features can take a significant burden off your security teams. Digital transformation, security and your application teams need to work in tandem to provide the ideal protection for your business data, applications, and customers. Regroup with your digital transformation team to avoid setbacks and document your security strategy. If you find yourself nodding in agreement, well done! You are right on track for carrying out a smooth, secure and effective digital transformation.