With Raymond Du Plessis and Sven Muller from Mobius Consulting.
Many large financial services companies with broad customer bases are moving to the cloud for improved accessibility, scalability, cost-effectiveness and new cloud based customer apps. However, this modernisation shift comes with its own set of challenges.
Mobius Consulting has worked closely with companies in this sector to help these large corporates migrate to the cloud, while ensuring that they have all of the essential security controls in place. Our experience with cloud security has highlighted that the most common challenges faced fall into 4 areas:
- Responsibilities: a lack of understanding of security responsibilities required by the organisation and key players when moving to the cloud.
- Control gaps: the perception that the cloud will provide for all security controls required right out of the box.
- Organisational readiness: a failure to ensure that the organisation is ready to migrate to the cloud from a security skills and support perspective.
- Leveraging cloud security: missed opportunities to make use of cloud security to address compliance and business requirements.
Mobius Consulting focuses on solving cloud migration challenges and not just pointing out the gaps. Emphasising security controls in the cloud early and often will demonstrate how seriously the organisation takes security, and to what extent the organisation uses the many advantages that come along with cloud security.
1. The Shared Responsibility Model
According to Gartner, through 2025, 99% of cloud security failures will be the customer’s fault. One of the main contributing factors for security breaches is a lack of understanding of what security controls the customer is responsible for, and what controls the cloud provider is responsible for.
The shared-responsibility relationship is manifested into a contract of agreement between the corporate customer, the cloud provider and sometimes a managed services provider.
“Each party takes on a certain amount of responsibility and while it is essential, it also takes time to fully understand this level of responsibility,” says Raymond Du Plessis, Senior Managing Consultant of Mobius Consulting. Irrespective if the customer is using Infrastructure as a Service, or Software as a Service, they are ultimately responsible for the data and who has access to that data.
Another factor to consider is compliance obligations and responsibilities. Whilst cloud is often more secure than on-premise solutions, for example cloud service providers are audited regularly and are in many cases already compliant to, this does not mean that the customer is automatically compliant as well.
The corporate customer is still responsible for ensuring they are compliant. It is important to assign responsibilities for security compliance and have a set of standards that the customer can measure themselves against.
2. Identify Control Gaps
It is important to ensure all security measures that are working on-premise will function properly in the cloud as well. These controls need to be checked on a detailed level with the same or better benchmark standards than those applied to locally hosted applications.
Gap assessments and a well-defined security architecture can assist with identifying control gaps and managing the following before migrating to the cloud:
- Comparing what you have on premise from the various technology domains vs what would you like to see in the cloud
- Consider all available cloud native security tools as well as 3rd party security integrations
- Compare not only the security capabilities and technologies, but also how applicable these are to the particular requirements for ongoing governance, process & support aspects.
By highlighting gaps at an early stage, the company will be able to allocate the right resources at the right time and ensure security maturity of your cloud space. Keep in mind that allocating resources efficiently comes with a variety of security management benefits, including:
- A reduction in security technology costs
- More effective use of resources
- Higher return on investment
3. Organisational Readiness
Cloud security organisational readiness can be broken up into 3 main streams:
- People Stream
- Process Stream
- Technology Stream
a. The People Stream
“Cloud is the new way of thinking, and we have realised that there is a massive skills gap. Is the organisation equipped for this transition from an information security perspective?” says Raymond.
Cloud migration will require both a technical and cultural shift within the organisation. We have noticed that the biggest challenge in the organisation is people that are not ready for the transformation. Companies may be quick to implement their migration plan, but employees often bottleneck the entire process. This can be resolved by up-skilling relevant employees that have the hunger to learn, or hiring people with the right skills prior to the infrastructure migration to the cloud.
b. The Process Stream
Security procedures are essential and those responsible should be trained how to apply them in the cloud space. For example, security incident management processes are different when systems are in the cloud. Other critical processes include redefining patch management, disaster recovery processes and change management.
“All of these areas need to be revised to ensure that they are applicable in the new world and companies fall short without testing these new processes first,” says Raymond.
Adapting existing procedures can prove an overwhelming task, and often an experienced migration partner is brought in to assist with this.
c. The Technology Stream
Moving an application to cloud can make a company vulnerable as it may not yet be completely configured or suitable for cloud migration. It is important to ensure that applications that are being migrated to the cloud can maintain the required levels of confidentiality, integrity and availability. Technology readiness is often overlooked .
4. Leveraging Cloud Security
The set of security features, controls and services that are available in the cloud is already impressive and growing better all the time. Making use of all the available security capabilities in the cloud can provide for a far more secure infrastructure than on-premise solutions.
We can build a cloud native service that will provide a centralised view on all security components within the cloud, whether it is vulnerability or access findings, we will be able to locate the root cause automatically.
“Security needs to keep up with the needs of business for the competitive advantage of speed to market,” says Sven Muller, Consultant for Mobius Consulting. “With security compliance you have to automate as much as possible, to keep up with the momentum.”
Automating security and compliance includes using a dashboard for compliance management instead of a manual checklist. A dashboard can instantly tell you about your compliance status and alert you whenever there is a problem, allowing the remediation of misconfigurations and non-compliance to be almost instantaneous.
“Automated compliance provides security guardrails to ensure organisational policy compliance and control, while still giving application development teams the freedom they need, which in turn enables business agility,” says Sven.
As IT modernisation and the adoption of cloud increases, the ‘configuration drift’ between the current state of company resources and their intended state becomes bigger over time. Cloud native software development, coupling of development and delivery, application teams operating their own infrastructure, rapid provisioning of infrastructure, micro-services, etc. all contribute to this phenomenon. Add to this the agility and scalability the cloud has to offer and you can see why governance and compliance teams are facing monumental challenges.
“Adapting to keep up with the speed of change, whilst remaining compliant, is the biggest challenge,” says Sven. “Speed of governance is fundamentally important if companies in the financial industry wish to leverage the on-demand self-service, scalability and agility characteristics that cloud has to offer.”
Follow this link and take a FREE online information security maturity assessment.