Although it is early in the investigations into the recent Capital One breach, one can certainly draw some preliminary conclusions. Primary among these is the need for continuous attention to details when moving workloads to public cloud environments.
The transition to public clouds such as Microsoft Azure, Amazon Web Services (AWS), Google Cloud or Oracle Cloud is easier than ever. Understandably, public cloud has become an accelerator of businesses worldwide and a likely keystone to Capital One’s objective of leading the industry as a technology-centric financial institution. Shifting workloads to public cloud, while easy, requires transformational strategy and activities fully integrated with a company’s security strategy—lest companies miss important yet basic details required to secure data.
Building a Cloud Transformation Strategy
Building a strategy and completing cloud transformation requires significant partnership across the enterprise, including IT operations, security, applications/development and business operations. Due to data breach consequences, enterprises cannot afford to accept skill gaps or lack of due diligence in any of these areas. If a deficiency is identified in any key area, engaging a trusted partner with skills in integrated cloud transformation is key to executing a successful cloud transformation road map.
A cloud transformation strategy begins with detailed data analysis, including sensitive data held by the entity or its associates, where it is stored today and where it will be stored for business enablement in the future. While this is a very business-informed analysis, it is the foundation of any information security program and any public cloud transformation.
Second, identify the steps required to harden your cloud deployment to meet existing (or improved) security standards. This hardening often doesn’t take place before moving data and workloads to public clouds and is one of the easiest, yet highest risk mistakes an enterprise can make. Reusing hardening standards developed for traditional deployments often doesn’t include the new security features as well as standard features that are configured or controlled at the application layer.
Once hardening is in place, monitoring hardening is critical. This can be achieved through a healthy DevOps program that incorporates security into the release management process. For more persistent workloads, strong change and configuration management reviews are critical to making public cloud assets far less attractive to potential attackers and should include the entire state of the environment, not just application or system vulnerabilities.
Last, and most importantly, an access management strategy that incorporates secure cloud technologies and sunsets legacy vulnerable access methods is mandatory. Multi-factor authentication is highly recommended. Privileged access should be centrally managed, typically via a privileged access management (PAM) tool, and global admins to the cloud environment should be vigorously restricted. An identity and access management tool should be used to ensure that access is provided only to those who need it for their job and reviewed regularly.
With an enormous amount of data combined with required protections, how does a CISO ensure that every detail is handled correctly? As we have seen, even the largest companies have been breached, the root of which can be tracked back to negligence or lack of understanding of the impact of employee actions or inaction, however well-intentioned. There are several ways to add additional checkpoints to overcome this.
Managed Services Provider
Consider using a managed services provider (MSP) that has significant experience transforming workloads to run in public, hybrid and multi-cloud. Select an MSP who has the experience, provides a detailed SOC2 audit by a well-known auditor and preferably knows your industry. Check their references with like companies.
An MSP can be instrumental in identifying what and where your sensitive data lies and use industry standards to protect it with server hardening, encryption, MFA, high availability, etc.
Managed Security Services Provider
Consider engaging an MSSP to augment your information security staff. Make sure that they can have a good working relationship with any managed IT services provider you partner with so that necessary changes can be made quickly. Using an MSSP gives you another set of eyes besides your own staff to run audits and go over the results.
Do not forget to have them do the necessary due diligence for data in the cloud, even those run by reputable companies. Just because the data is partially protected by the cloud provider does not mean it is exempt from the same protections and auditing enforced in more traditional settings.
Engage a Third Party
Engage a third party to conduct extensive penetration testing at least quarterly or more often depending on the impact that could occur should your sensitive data be exposed. Again, ensure that the results for critical and high findings are implemented quickly. Also, engage a third party to search for any data that is not in a location you expect. Entities are often surprised to find that any employee or contractor has uploaded sensitive data to an internet site without authorization to do so.
Security is Top Priority
Finally, make information security and privacy a top priority and part of your company culture by embedding security into the business. If it is done well, employees will ensure that any data they control is secured and will act as extended eyes for the CISO to find and report anomalous behavior or possible vulnerabilities, while network and server administrators will ensure configurations and hardening are done promptly.
Although the task of verifying every detail may seem like an insurmountable task, prioritizing your cloud transformation process based on data sensitivity, using expert service providers, regular testing and audits, and empowering an engaged and security-conscious workforce to report issues will go a long way to achieving your goal.