Applying these five considerations will make for a more successful path to cloud security.
Cloud computing promises significant costs savings and more streamlined management of mission-critical information technology, data processing and storage needs. But is it secure?
Vibrant Credit Union (VCU), a Midwestern-based full service financial services credit union that offers both online services and storefront branches, continues to grow their footprint in the cloud. As their needs grow, so does their emphasis on security. Steve McAtee, Vibrant’s CIO, has been tasked with migrating securely to the cloud without inflating the credit union’s IT budget. Like most well-managed organizations, Vibrant relentlessly pursues a strategy of doing more without increasing costs, and avoiding any compromise in its security posture.
McAtee has actually found ways to improve his company’s security capabilities by continuously monitoring and automating its cloud security for vulnerabilities in its Amazon Web Services (AWS) environment. Additionally, the company has been able to use this new, continuous approach to eliminate the pain of annual regulatory compliance audits.
Their successful path to cloud security has revealed five key learnings which can help frame the journey for others. With these considerations, you can begin to assess your aptitude and fortitude for making the move and in so doing, remaining secure and compliant:
1. The speed factor
Moving to the cloud has enabled VCU to spin up resources and shut them down dynamically in an on-demand basis. The elasticity of cloud computing enables continuous development, allowing you to release software as rapidly as you can. But be warned, the speed of continuous development will increase the volume of vulnerabilities in your environment if it’s not well aligned with the security practices of your organization.
2. The cost factor
The advent of the cloud will forever change the landscape of IT budget. No longer are you responsible for housing, powering, and maintaining a farm of depreciating hardware assets. Vibrant was able to convert the capital expense associated with provisioning data centers into a more flexible consumption-based operating expense. You’re no longer tied down to physical datacenters, but rather are able to move elastically in the cloud based on the needs of the business.
3. The security factor
While it is true that in the cloud, it’s easier to rebuild servers, it’s much more painful to do so if you haven’t properly protected your data. The speed and agility of the cloud works to the hackers’ advantage because in the cloud, more of your data is moved, processed, stored and accessed globally (including by mobile devices). This increases the data’s vulnerability to security breach and the corresponding adverse legal, regulatory and business consequences.
An automated attack runs 24/7/365 waiting to find vulnerabilities – their way in. Attackers are doing things in a programmatic fashion. Vibrant found that automation is great for detecting and exploiting the risk, but you also need to be armed with automation and visibility so you can identify vulnerabilities before an attacker leveraging automation can detect them.
4. The compliance factor
Migrating to the cloud does not relieve an organization of its legal and regulatory responsibility for the data that is put into the cloud. In fact, moving to the cloud now has its own collection of industry-specific laws, regulations and compliance standards.
Compliance with these regulations is imperative. Failure to comply will result in administrative orders and penalties with the potential to damage your business and brand reputation. While some framework controls are met by the cloud providers themselves, you need to be able to validate and prove that security standards are met. Even with a small cloud environment, manual monitoring would be extremely burdensome, if not impossible. Many organizations combine the skills of their compliance and security experts into one team. Those teams are supported by the use of security automation tools like the Evident Security Platform (ESP) because it can continuously monitor and manage the security and compliance risks and vulnerabilities in an Amazon Web Services (AWS) environment.
5. The automation factor
If you were to manually audit your cloud infrastructure, it can consume several hours, even weeks of your most valuable resources, security experts. In adding up all the discovery, auditing, remediation, and training time required to deploy to protect cloud accounts without leveraging automation, equates to losing at least one staff member to these activities. And that’s just to maintain the existing security state. If you wish to move the ball forward and further implement advanced security controls or compliance frameworks, you can expect to consume up to 3 full-time bodies just to achieve baseline security practice.
These were all motivating factors in Vibrant Credit Union’s own move to continuous monitoring and continuous compliance in the cloud. Operating in the cloud brings a different reality than what you may have worried about just a few years ago — when the introduction of the cloud and the use of cloud services in the supply chain would actually increase security vulnerabilities. Steve and his team had to move to the cloud to enforce compliance and security policy and instead of this causing a security problem. With a small staff and limited resources, the move to the cloud has helped them leverage security automation and improve how the security team gets things done.