As recently as 2017, security and compliance professionals at many of Tripwire’s large enterprise and government customers were talking about migration to the cloud as a possibility to be considered and cautiously explored in the coming years.

Within a year, the tone had changed. What used to be “we’re thinking about it” became “the CIO wants to see migration starting this year!” By 2018, many customers were fully immersed in an aggressive campaign to revamp their IT environments.

The business benefits of shifting to cloud-sourced infrastructure, platforms and software are well known. Often less understood, at least by many senior leaders making large-scale investment decisions, are the security and compliance nuances of such a shift. To effectively manage risks in new, usually-hybrid, environments, organizations will face both challenges and opportunities.

Cloud-hosted IT doesn’t necessarily mean less secure. There are many security enhancements offered by hosting services which may not otherwise be effectively implemented in a business whose core competencies don’t include IT.

Infrastructure-as-a-Service, for example, often comes with built-in patch management, secure configurations (or at least securely configurable settings), system redundancies, data backups and incident response—so security is not always compromised; it can actually be improved in some ways. But cloud-hosted IT does mean security is different.

Much of the difference comes from the expanded scope of coverage needed. There are generally three areas that need to be considered:

1. Security of cloud-hosted assets. Simply stated, this is an extension of what has always been needed on-prem: security controls on virtual servers, databases, workstations, etc., which process data and do the work. While the host may be different (physical to virtual, on-prem to hosted), the security metrics, measures and tools remain similar. (Read a white paper on this topic)
2. Security of cloud accounts. This is the customer-centric cloud (Read more...)