You contracted a builder to construct a new house on land you acquired, and he says it’s ready for you to pack up your stuff and move in. Upon inspection, you realize that the doors have a single deadbolt lock, windows on the first floor are easy to remove, and they haven’t installed the video alarm system. Are you ready to move in, or will you insist that the contractor address these security gaps first?
The question of security readiness plays out every time a devops team configures new cloud environments, lifts and shifts an application to the cloud, or deploys cloud databases and data lakes. It takes a significant team effort to have all the technology ready for cloud migrations, but it requires the discipline to address potential security vulnerabilities before opening up cloud services to the business.
But here’s where the analogy ends – because protecting a house is much easier to secure than a cloud migration.
We understand how most people use their homes and the most common security threats, but it’s not straightforward for cloud applications and databases. How employees access and utilize the underlying data evolves, including where people work, what tools they integrate, and the scale of the underlying operations. The security risks are also increasing because more employees work from home, and more companies collaborate with outside partners. Configuring and monitoring cloud services requires conceiving and managing these security use cases.
Devops teams need security guardrails
Top devops teams should take a test-driven approach to secure their cloud environments. Just like developing test cases for microservices and applications before developing the functionality, the team should have a checklist to validate cloud security for vulnerabilities before, during, and after cloud migrations.
Here are some steps that might appear in a cloud migration security checklist:
- Before migration: Lock down network endpoints, configure data access privileges, and install monitoring agents.
- During migration: Update the CMDB, validate application access controls, and update IT operations management systems.
- After migration: Monitor endpoints, remediate vulnerabilities, and consolidate servers based on utilization.
The checklist helps bring a “shift-left” security mindset to devops teams who are under pressure to migrate more applications to the cloud, increase deployment frequency, and develop new analytics capabilities.
After the migration: Data protection drives security hygiene
IT and security teams have many best practices to protect technology assets that change infrequently, and they focus on locking down endpoints, securing communications, patching systems, and intrusion monitoring.
Application and business services running in the cloud need these protections – and a lot more.
That’s because common goals in moving services, apps, data stores, and business systems to the cloud are to increase access to more people and grow utilization. Most business leaders want to improve data-driven practices and view cloud migrations as a means to scale systems, improve performance, increase workflow integrations, and provide better hybrid-work employee experiences.
Migrating to the cloud increases security risks, and proactive IT and security groups respond by monitoring their sensitive data. As data increases, utilization grows, and new use cases emerge, these teams need tools that align access rights to business needs and track data access.
Moving applications and data to the cloud has many business benefits, but IT and security leaders need the ability to manage ongoing data security challenges starting from the early stages of cloud migrations.
About the author:
Isaac Sacolick, President of StarCIO, is the author of the Amazon bestseller Driving Digital: The Leader’s Guide to Business Transformation through Technology and an upcoming book, Digital Trailblazer: Essential Lessons to Jumpstart Transformation and Accelerate Your Technology Leadership. He covers agile planning, devops, data science, product management, and other digital transformation best practices. Sacolick is a recognized top social CIO, a digital transformation influencer, and has over 800 articles published at InfoWorld, CIO.com, his blog Social, Agile, and Transformation, and other sites.
This post is brought to you by Tanium and CIO Marketing Services. The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of Tanium.