CIO followers expound on ways to stay secure when moving to the cloud. Credit: iStock For as long as organizations have been interested in moving resources to the cloud, they’ve been concerned about security. That interest is only getting stronger as cloud usage grows – making it a perfect topic for the latest #CIOTechTalk Twitter chat. The chat brought together a host of security consultants and practitioners who weren’t shy about weighing in with their thoughts on a series of questions around the main topic: how to remain secure during cloud migrations. It’s a timely topic given the rapid cloud migration currently underway. More than two-thirds of the 850 IT leaders who participated in a recent Foundry survey said they were accelerating their cloud migration. Yet, of the top 10 challenges they face, four relate to security: Data privacy and security challenges, cited by 35% of respondentsLack of cloud security skills/expertise: 34%Governance/compliance: 29%Securing and protecting cloud resources: 25% To get the ball rolling, host Isaac Sacolick (@nyike) asked what main security challenges teams encounter when migrating to the public cloud. Among the responses (edited slightly for clarity; this was Twitter, after all): – Lack of visibility/control over [network] activity– Complex compliance requirements compounded by lack of internal compliance expertise– Insider threats and malicious activity– and the list goes on and on @willkelly Easy to come up w/50 #cloud #infosec challenges. Significant is ensuring cloud code repositories are secured, especially for #GitHub. Many recent breaches, including #LastPass #Okta #Intel & #Samsung, where attackers got source code access. @benrothke Sacolick noted in the early days of cloud, he’d see cloud-certified architects’ drawings with no mention of security and wondered if things were better today. Yes but it’s a tale of two cities. The “aware” are mature and focus on #DevOps and integrated ways to deploy secure capabilities (like programmatically deploying firewall rules in #cloud). [Between them and] those who are not is a HUGE gap – not a lot in the middle. @DigitalSecArch Imagine designing an office building without architectural plans. It’s called a disaster. @benrothke When asked how security teams should protect data applications and who’s responsible for security, respondents were quick to answer with some variation of: It is a shared responsibility between the cloud service provider and the customer. @ArsalanAKhan But respondents disagreed on how clear those responsibilities are to customers: Too often, without full understanding, shared responsibility = false sense of security. @BrendenBosch Except it is not fine print. The #cloud service providers make it very clear. They post it on their web site. They share it in their portal. They send it to the customer. @benrothke Wayne Anderson, a security and risk management leader at Microsoft, offered his “personal guide to cloud security shared responsibility”: If it’s in your interface (compute, network, FW, DB, identity etc.), you own it.That’s EVERYTHING except the hyper-scale management plane. Your #cloud CSP won’t save you. @DigitalSecArch Next up was the question of how on-premises assets can securely link to cloud assets, which likewise generated some healthy back-and-forth. Integrate on-premise data center to #cloud, consider using VPN, direct connect, or dedicated network. Implement identity and access management, and continuously monitor and update security posture. @CraigMilroy VPN, Direct Connect, Secure Gateways, IAM, Encryption, Network Segmentation, etc. These measures help ensure that data is securely transmitted between the on-premise and cloud environments, and that access to sensitive data and applications is tightly controlled. @ArsalanAKhan This is part of it, but just as much is assuming the connections are public internet, and then designing the application to deal with that reality – hostile network. #encryption, managed #latency, #identity inspection, and certificate validation, etc. @DigitalSecArch Assume that there are no boundaries and everything is on the open #internet. Secure from there. @CPetersen_CS Next the #CIOTechTalk chat focused on which governance and compliance issues organizations need to take into account before migrating to public cloud, another of the top security issues cited in the Foundry survey. Prior to #cloud migrations, orgs to consider governance & compliance issues such as #dataprivacy, regulations, industry standards, & internal policies. Assess end to end risk/#security, PIA, clearly define data ownership via #datagovernance. @CraigMilroy Your team has same obligations in the #cloud as you have anywhere else in your business. For the love of all things – please stop trying to give your cloud provider’s SOC2 report to auditors. It doesn’t address your application practices or 3rd party or incidents. @DigitalSecArch But on the other hand, @Ostendio notes the ability to manipulate SOC 2 scope has led to significant abuse … [making it] difficult to compare audits. Allows orgs to avoid auditing areas that are their weakest link. @benrothke @benrothke makes a very good point. As a Deming fan, you can’t audit in security. It’s either there at design/build time, or it’s not. All the audits in the world can’t stop breaches that are out of scope or happen at the wrong time in the yearly cycle. @CPetersen_CS The final chat question was on how working with a partner can enhance visibility and strengthen security posture. In general, Twitter panelists supported the idea, with some caveats. Most people don’t do their own plumbing or electrical work. They use a trusted partner. So too with the #cloud. Find that trusted partner. But you must know what you need them to do if you want them to do it right. And vet them very, very well. @benrothke Trying to be an expert at everything = knowledge of next to nothing. Find partners you trust. @nyike Finally, Peterson had another interesting take on partnering, followed by the last word from Sacolick, the chat moderator: It’s definitely a way to speed up an org’s “time to competence” in specific areas, but it must come with knowledge transfer commitments and either an acknowledgement that the arrangement is permanent or a time line for the customer to assume responsibility. @CPetersen_CS Good partners execute. Great partners advise their clients. The best partners educate their client’s staff so that they make smarter decisions. @nyike You can check out the full February 2, 2023, discussion at #CIOTechTalk. And learn more about effective cloud migration strategies, visit the NTT Communications website. Related content opinion Website spoofing: risks, threats, and mitigation strategies for CIOs In this article, we take a look at how CIOs can tackle website spoofing attacks and the best ways to prevent them. By Yash Mehta Dec 01, 2023 5 mins CIO Cyberattacks Security opinion Illuminating the black box: why CIOs should consider publishing an annual IT report Publishing an annual IT report allows CIOs to offer visibility into operations and execution through a business value lens. Utilize this formula to reclaim control of your IT narrative. By Michael Bertha and Duke Dyksterhouse Nov 15, 2023 10 mins CIO IT Leadership opinion How the new AI executive order stacks up: B- The executive order represents a step in the pivotal regulation and advancement of AI in the United States. However, it has its challenges and ambiguities, which warrant further scrutiny and refinement. By Rudina Seseri Nov 09, 2023 6 mins Government Artificial Intelligence opinion When least privilege is the most important thing The Principle of Least Privilege is a bedrock of information security. With mobile apps, IoT, the cloud, and AI, it is more important than ever. By Ben Rothke and Alan Lustiger Nov 02, 2023 13 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe