Well before the onset of the pandemic most organizations had a digital transformation plan in place which included migrating workloads to new modern architectures, usually a private, public, or hybrid cloud. As the challenges caused by COVID-19 became more acute, these organizations accelerated their modernization plans for a myriad of practical reasons.
Let’s say, for example, I want to stand up a kit (or pod) for an application. To accomplish this using a legacy system I would need a combination of servers with software on top of them. I would need a physical kit and would have to provision the hardware, put it in the data center, network it, etc…The process can take a long time. In contrast, it takes about five minutes to spin up new kit in a cloud to support an application – and I don’t need people involved.
With so many people working from home and nobody wanting to fall behind schedule, accelerating migration to the cloud became an easy choice.
In the original plan, these enterprises expected to modernize infrastructure in lockstep with modernizing security. However, when the acceleration started infrastructure leapt forward. In many instances the acceleration was incentivized, making it even harder for security to catch up. Here’s an example. I have a customer that has a modernization project. In his enterprise, every application investment can either go on a legacy platform or on a modern (cloud) platform. There’s a budget for both platforms, but in light of the pressure created by the pandemic, building on the legacy platform would simply take too long. To stick with the accelerated schedule, my customer simply moved the budget from the legacy to the modern platform to support new application development.
Big picture-wise, rapid modernization is good because organizations have adopted cloud faster. The downside is they weren’t ready to bring security along. Modern environments are clearly better for developers, but they aren’t likely to push security concerns to the front. For security people, the modern platform is newer and they’re less familiar with it, so to narrow the security gap they needed to involve additional teams. Security people also require interaction between teams which, while doable, is objectively more difficult. Today, many organizations that accelerated their modernization plan without a corresponding leap in security modernization face a security controls gap, and lack the critical skills required to catch up. To begin closing these gaps in security, controls, compliance, and privacy, security people will need the cooperation of the cloud architecture team to get certain privileges to do what’s necessary.
Data security practices aren’t new, but the platforms are and, thus, the methods are
Organizations face two principal risks. The first is a data leak or data breach that, when you factor in pursuant investigations and remediations can negatively affect an organization for years. The other is non-compliance, which could get an organization a slap on the wrist or a monetary fine designed to remind them that data compliance is a serious thing. Subsequent non-compliance would result in more dire consequences.
To close the security gap after accelerated modernization, an organization must follow minimum data security practices. It starts from the fact that, when organizations move workloads quickly, they often lose track of where their sensitive data resides. To secure sensitive data, it’s important to have a good data catalog, know where copies are, where snapshots may be, etc… Organizations must have access control policies around their sensitive data. They must have audit trails, the ability to run data through forensics if needed, the ability to validate what entitlements are and reduce them, and check for vulnerabilities from a surface area perspective. These aren’t new practices; what’s new are the modern environments. Not everybody knows how to apply these practices to the new environments, though, and this skills deficit is contributing to the ongoing security gap.
Visibility is key to closing the gap after accelerated modernization
Compliance mandates are about visibility and security controls. You must create a foundation layer of visibility into the data because it drives everything else. When you make visibility the priority, more often than not you’ll address most of your compliance requirements. Without sufficient visibility you won’t know where the data is and what’s going on. You won’t be able to mitigate security risks. To establish some level of baseline behavior, you must know the “6 Ws” of your data. Who’s accessing it, what they’re doing with it, why they need it, where they’re accessing it from, when they’re accessing it, and which servers they’re using. Without this information, you can’t create an access control policy.
With true data visibility comes a deluge of information. To avoid alert fatigue and separate out the data to which you must pay attention, you also need robust User and Entity Behavior Analytics (UEBA) and other tools to inform security teams about what activity is truly actionable.
Another part of visibility is classification of data. For privacy regulation compliance, you must have a consistent and scalable way to discover and catalog sensitive data, like employee data or consumer data, and make it ready for responding to subject rights requests. Inability to do this could result in consequences due to not complying with privacy regulations.
A CyberSecurity Framework for Securing Cloud Data for Digital Transformation
Building on the National Institute of Standards and Technology’s (NIST) CyberSecurity framework, this whitepaper proposes a security and compliance framework for cloud data. This comprehensive framework includes:
- The two stages of IT infrastructure during a cloud migration
- Inherent versus obtained DBaaS controls and processes
- An extensive comprehensive look at the compliance and privacy regulations that apply to your data management and security of data
- The steps to establishing the framework in your organization
Download this whitepaper today.
Try Imperva for Free
Protect your business for 30 days on Imperva.