The pandemic caused many organizations to shift from on-prem to the Cloud, opening a slew of challenges, most importantly securing the Cloud. Chris Abramson, Senior Director of Cloud Security Engineering at Walgreens, and 20-year IT industry veteran shares what he learned from shifting from on-prem to Microsoft’s Azure Cloud on this week’s Reimagining Cyber episode, “Journey to securing the Cloud.”
Shift your Strategy
First and foremost, Abramson recommends adapting your strategy to your new environment. In on-prem, it’s all about firewalls and technology that’s wrapped around an environment, but in the Cloud, it’s how things communicate with each other, he cautions. By changing your thought process about how to work in this new environment, you’ll be able to better secure it.
When changing IT infrastructures, security can get lost in the shuffle. To mitigate this, Abramson worked in lockstep with his Cloud Center of Excellence (COE), building security directly into the deployment model.
“So, as our teams, whether it be an infrastructure team or even an application team, go to do that deployment, they're hitting the gates of security,” he says. “Not at the end, not after everything's deployed.”
Security issues aren’t being discovered after the fact. Teams hit them as they come upon them, enabling them to make changes on the fly and deploy the appropriate fixes with the least amount of security risk in the environment.
Learn from Others’ Mistakes
By checking out industry forums and CVE data on vulnerabilities in the Cloud that have been made public, learning from peers that have already been through it is key. This enables companies to bake the correct actions into the new Cloud environment.
Work as a Team
Abramson recommends working in lockstep with other teams, for example, deployment teams and security, to prevent any issues and enable reacting quickly when something happens.
“This is one that fundamentally, really takes a lot of interaction between development teams and the security teams [to] make sure that they're thinking about what the impact is going to be if they pull from some rogue repository or just, you know, off the internet and things like that,” Abramson says.
As the Cloud space evolves, so will the software development, deployment, and security space to adapt to the ever-changing Cloud environment.
Securing the Supply Chain in the Cloud – the Russian Doll Syndrome
Many companies purchase software from a third party, embed it into their software, which gets embedded into yet another software. Enter the Russian Doll Syndrome.
“[You’ve] got to think about software that you're buying from a third party. That now also embedded software from another third party, that likely embeds software from another third party. That's the Russian Doll Syndrome.”
Abramson recommends considering how you’re connecting and the level of software integration to determine the level of risk. He also recommends implementing a strong vendor management program.
“Talking with your partners, understanding their security practices, what they're doing, and how they're managing their code, their releases, their ingest of those same platforms, or same libraries, or same third-party integrations as well, too, [is helpful],” he says.
“If You Can Encrypt the Data, Encrypt It.”
Encrypting data offers its own challenges and isn’t always possible, but where it can be done, Abramson wholeheartedly recommends doing it.
“Wrapping environments in a model that doesn't allow access to, or very limited access to, it's kind of, I'll call it the vaulted environment, you know, the no ability to touch, change, maneuver through or ingress or egress without somebody watching you do it. That stuff, it's expensive, and it's highly operational because there's a lot of eyeballs having to do that.”
Encryption is the quickest and easiest way to protect your data, Abramson says.
Abramson recommends partnering closely with the business and IT sides of the house to determine the best way to protect sensitive workloads shifting to the cloud and mitigating data exposure and privacy compliance risks. Sometimes, encryption just isn’t an option. In these cases, Abramson recommends bringing your own encryption keys and avoid reliance on key services provided by Cloud Service Providers (CSPs).
Shifting to the Cloud can be daunting. Hopefully, this week’s episode has provided some helpful tips. Have you put any of these recommendations into practice? What other tips do you have?
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.