How To Build A Cloud-Only Business Based On Three Core Security Pillars
In mid-March 2020, I had several office visits, all with the same fundamental questions.
“Mark, are we ready?”
“Ready for what?”
“To close the office and work from home.”
“What do we need to do?”
“Close the office and go home.”
It occurred to me at this point that the cloud technologies my company uses are unique compared to the companies many other staff members came from. As a cloud-only company, the pivot to working from home was simple and easy.
Building a cloud-only company is challenging and learning which cloud technologies offer ease of use and robust security can be trial and error. Out of all these technologies, I found three to be critical to the success of becoming a cloud or cloud-only company: identity management, device management, and cloud security posture management platforms.
Whether your organization had to make a fast transition to remote work and now you are looking to revisit your cloud security, or your organization has not yet made the switch, these are the critical pillars my team used to build a secure, cloud-only business.
Three Technologies To Secure The Cloud
1. Identity Management
There are some excellent identity management solutions in the marketplace today. Two-factor/multifactor/password-less support, outstanding auditing, SSO/SAML/LDAPs/RADIUS interfaces, federation capabilities, secure external sharing, and tons of reports and “evidence” designed to help you sail through any compliance audit.
The main challenge in choosing a solution will be picking something that works best with your current technology stack and allows you to make new cloud services available to your employees. Providing a capability to seamlessly turn off your old systems and redirect people to new services, all accessible with their familiar authentication method, is priceless.
If you need to manage and synchronize multiple security realms, a solution that can act as a master identity platform and synchronize account information with the legacy security realms will be an essential factor.
Whether you need to rearchitect what you have or are building something from scratch, my advice is to pick a solution that is easy to audit and manage. At the end of the day, if you cannot keep tabs on stale identities, you are exposing yourself to unnecessary security risks and wasting cash on time and resources.
2. Unified Endpoint Management
One of my biggest challenges was finding a cloud-friendly, cross-platform, device management solution. I spent hours explaining that I did not have Active Directory and would not set it up so that I could take advantage of all the features of the solution I was being pitched.
I was genuinely amazed at the shortcomings of what looked to be so many promising MDM solutions. Key criteria for me included:
• Must work with my identity management system.
• Feature parity between macOS and Windows 10.
• Native compliance and configuration profiles for macOS and Windows 10.
• Software deployment and management, including patching and upgrades.
• Decent telemetry, inventory, and compliance reporting (for my auditor).
I had a few starts and stops with various solutions before settling in on a winner. The effort put in has been well worth it. If you have not reviewed what you are doing for device management in the last nine months, I recommend you kick the tires of some competitors in the marketplace to see what they can offer.
Do not hang your hat on the major analyst reviews for your shortlist. Many competent players have not paid to get on an analyst’s leaderboard but are still worth a look.
Even if you think your company will never be a cloud-only company, having a device management solution that can keep track (and control) of a device no matter where in the world it ends up is extremely valuable.
3. Cloud Workload Protection
There is a cloud microservice for just about every on-premises service you can think of. However, you do not manage and secure both the same way. If you attempt to manage and secure your cloud environments like your colo or data center, you are going to double your budgets and staff.
Cloud security posture management (CSPM) solutions are a must-have for anyone deploying services from Azure, AWS, or GCP. Whether you are new to cloud services or consider yourself a veteran, having a CSPM solution is a lifesaver.
Oversharing a resource on the internet can be the result of inexperience, lack of awareness, default microservice behavior or prepackaged image deployments. The consequences of the oversharing can be disastrous to a business, whether it is data exposure or giving a threat actor a foothold in your cloud environment.
Most CSPM solutions come with out-of-the-box security profiles for all the major cloud platforms. Some even have enforcement capabilities. Think you are going to make your S3 bucket world-readable? Enforcement policies can remove any insecure configuration not approved by an administrator.
High-level controls your CSPM should cover are:
• Infrastructure hardening, configuration, and vulnerability management.
• Networking protections and visibility of communication flows.
• Compliance profiles with discovery and detection.
• Automated policy enforcement.
• Reporting and remediation.
Head To The Cloud (Securely)
Whether you are just starting the journey to the cloud or are already there, reviewing these foundational pillars can help you secure your current infrastructure and remove friction from pivoting workloads from on-premises to the cloud or even shifting workloads between clouds.
I loved managing “blinky lights and spinning disks,” but I certainly do not miss it. Managed correctly, IT can lower costs, improve security, and drive more value back into the business by moving workloads into the cloud.
Remember, do not manage your cloud platform the same as your data center, and focus on identity management, endpoint management and cloud workload protection. If you keep these basics in mind, you should be set up for success.