migrating to cloud? - pwc · prioritize cloud migration and automation. traditionally, some of the...
TRANSCRIPT
Migrating to Cloud? Know, if you are ready? 5 motivations and 10 key security architecture considerations towards your cloud migration strategy
Content
Abstract 3
Strategic Alignment 5
Security Management and Governance 5
Managed Business Continuity and Disaster Recovery 5
Access plane is the new logical perimeter 6
Automation 7
10 key security architecture considerations towards your cloud migration strategy:
Division of Responsibility and SLAs ................................8
Multi-tenancy .................................................................9
DataclassificationandManagement ..............................8
Encryption and Key Management ..................................9
Monitoring and Reporting ..............................................9
Access Management ..................................................... 10
Business Continuity and Disaster Recovery .................. 10
Risk Assessment ............................................................ 11
Change Management ...................................................12
Security-as-a-Service ....................................................12
References 14
2
Migrating to cloud can be a daunting and an inevitable challenge that you may need to take on sooner rather than later or may already find yourself amidst.
Whether you are an executive, in management or a leader, and are wondering
• if your business strategy should include a cloud migration strategy or
• how to embark upon the journey of migrating to cloud with security considerations in place, then this article will provide you with some insights and would hopefully serve as your companion through this journey.
Monica Verma Senior Manager Risk Advisory Services - PwC Norway
3
By 2020, a Corporate “No-Cloud” Policy Will Be as Rare as a “No-Internet” Policy Is Today [1] .
According to Gartner’s 2018 study, the total cloud computing market is to almost double by 2021 from $153.5 billion in 2017 [2]. Additionally, Forrester predicts that at least 50% of enterprises worldwide will adopt public cloud services for their businesses and to compete for customers. [3] .
The above predictions will not come across as a surprise to you. With the ever increasing adoption of cloud technologies, more and more organizations are modifying their business strategy to include and prioritize cloud migration and automation. Traditionally, some of the most important reasons fororganizations to move to cloud have been:1. Cost reduction2. Scalability3. Increased availability
5 motivations and 10 key security architecture considerations towards your cloud migration strategy
As technology has advanced, the adoption of cloud has also expanded the cyber threat horizon. The inclusion of various heterogeneous components adds to the complexity and intricacy of managinginformation security within cloud.
The following are a few examples of components that add heterogeneity to the cloud infrastructure: a) Various services (SaaS, PaaS, IaaS) from multiple vendors b) Various networked and interconnected devices, referred to as Internet of Things (IoTs) [4] c) Multiple identities spread across these heterogeneous services and devices
4
Inthisarticle,wewillfirstlookatthefundamentalaspects that build a sound foundation and business case for migrating to cloud. Furthermore, we will go deeper into some of the best practices foranefficientcloudadoptionandmigrationstrategy, and a secure cloud architecture design.
BeforeIgointodetails,let’sbrieflylookattheseimportant questions: ”Why do we want to adopt cloud technology? Are there any other reasons apart from the traditional: cost reduction, scalability and increased availability?
Thesearegoodbutdotheyprovidesufficientbusiness case for our organization to change our business strategy?” With the expansion of the threat landscape, and with more stringent compliance, legal and regulatory (e.g. GDPR) requirements coming into play, we see an ever increasing number of considerations, now more than ever, that affect the decision to adopt and implement a cloud strategy. The following are some key points that must be considered and can drive a business strategy towards the cloud:
Strategic Alignment As with any project initiative, one must ask, whether the project strategy is in alignment with the business strategy? What are the overall (security) objectives for migrating to cloud? Are they aligned with the business goals and business objectives/OKRs [5]?It is vital to establish the governing security objectives and principles for the migration. An exercise must be conducted in order to map these to business objectives. This supports not only the business case for the migration but also for investing into security when moving to cloud. Management approval and support has always been a key consideration for any security managementprogramandthisisnodifferentforbusiness-efficientandsecurecloudmigrations.
Security Management and Governance
With the adoption of cloud, security is a shared responsibility between the Cloud Service Providers (CSPs) and the consumers e.g. a business organization. Additionally, cloud vendors providevariousoptionsforsecurityconfigurationfortheconsumers,alongwitharecommendedbest practice baseline to begin with. This is contrary to the way sales were done historically, wherethedefaultconfigurationforproductsordevicesmostlyentailedadisclaimertohavethesettingschangedandconfigurationhardeneduponthefirstset-upe.g.changeadmin-admincombination on your router, software web shop, etc.Most of the big cloud service providers such as Microsoft, Amazon, Google provide detailed information on their respective shared responsibility model [6][7] .
Managed Business Continuity and Disaster Recovery
Although a 100% availability cannot be guaranteed, business continuity and operational uptime is critical to every business. Disaster recovery plays a key role in business continuity. Additionally, with the ever increasing threat of ransomware [8] , business as usual & always can come to acompletehaltwithoutproperdisasterrecoveryplansinplace.Notonlyaretherefinancialrisks associated with downtime, but there are added reputational risks and operational costs involved. Although, the underlying concept and process for designing Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) remain fundamentally the same (e.g. a risk-based andbusiness-criticality-basedapproachtodefiningRecoveryPointObjectives[9]andRecoveryTime Objectives [10] ), cloud technology can provide a better and more scalable management of the business critical assets and operations. The disaster recovery delivery model by the CSPs can vary from a light-pilot recovery site to hot-standby infrastructures. Additionally, with adoption of cloud, cost effectiveness is another major advantage for business continuity, since the Total Cost of Ownership (TCO) is reduced.
1
2
3
5
We have seen evolution in network security products for over a decade. However, today, we see that the meaning of the term perimeter has become morefluid.Accessisthenewlogicalperimeterandformsakeyconceptwithregardstodefiningand defending perimeter today, particularly in a cloud infrastructure due concepts such as shared data-usage or multi-tenancy.
At the same time, we have seen a multitude of data breaches over the last decade [11] , e.g. AshleyMadison, Yahoo, Verizon, Equifax, to name a few. This is of particular importance, when the dataextracted is sensitive personal data and can be used to steal or impersonate identity. With studiesshowing that corporate breaches increase the probability of identity theft [12] , the management of identity becomes more vital.
Today, we see that identity is a critical component, andinsufficientauthenticationormisconfiguredaccess management one of the key factors for losing consumer trust [13] . Additionally, due to technological advancements such as Bring Your Own Device (BYOD) [14] , Internet of Things [4] , Blockchain [15] , etc. and adoption of cloud, it’s not only required to manage identity cross-functional within an organization, however, identity also needs to be managed cross-platform, cross-technology and cross-infrastructure. The good news is, although there are many IAM tools out there, we are seeing a shift in the adoption of IAM as a Service (IDaaS).
By 2020, 40% of identity and access management (IAM) purchases will use the IDaaS delivery model - up from less than 20% in 2016 [16] .
4 Access plane is the new logical perimeter
6
To err is human. Humans have been one of the weakest
links of the cyber security chain.
Automation5To err is human. Humans have been one of the weakest links of the cyber security chain. Although automation is relevant for on-premise architectures as well, however, cloud technology requires and demands deployment and changes within the infrastructure and production cycle to be more rapid, agile and granular, making automation all the more critical. There is also the added factor of DevOps. The DevOps team are constantly
looking into more agile development models whilst ensuring security, accuracy and shorter development cycles [17] . DevOps teams are increasingly adopting cloud services for the above reasons. Whether DevOps, infrastructure or architectural changes, automation ensures that concept, functionality and changes are deployed without affecting speed, accuracy and security.
7
1. Division of Responsibility and SLAs
What is your responsibility and what is the provider’s? What are the responsibilities that your cloud service provider offers to manage for you? This pertains not only to the division in terms of managing the OSI ISO layers but also and more importantly in terms of security and privacy respon-sibilities at various layers. It is vital that there is a clear understanding of the division of responsibi-lities and the cloud service provider security model. Additionally, it is important to understand and document, what Service Level Agreements (SLAs) would exist with the cloud service providers in case
of a cyberattack affecting availability, integrity and confidentiality(lossofdata).Thisisalsoparticularlyrelevant in case of managed security services such as incident handling, vulnerability management, threat and risk monitoring, etc. It is vital that there are proper contractual clauses in place for the SLAs and the cloud service provider’s management of risks. All major cloud service providers such as Microsoft, Amazon and Google provide detailed information on their shared responsibilities and security models [6][7] .
10 key security architecture considerations towards your cloud migration strategy
So far we looked into some important factors that provide motivations and business case for adopting cloud technology. Let’s say, we now understand the fundamentals, and have a business case in place, for ourorganizationandthebusinesstobenefitfromgoingtocloud.Basedonthefactorsdiscussedabove,your organization and decision makers need to ask, ”We have a business case but are we ready to migrate into public cloud, whether partially or completely? What are the vital steps of the migration strategy?” We will now build upon the above key deciding factors and look into the top 10 key areas for designing a security architecture for cloud migration. Below are key considerations and some of the security best practices towards your cloud migration strategy, and helping you design a secure architecture for yourcloud environment:
8
What risks does multi-tenancy pose for your organization and how would it affect your cloud architecture? Multi-tenancy can exist in any cloud service model. A SaaS, a PaaS or equaivalently an IaaS service could be shared between multiple tenants. Multi-tenancy, although a key cost benefactor, introduces various security issues such as inadequate logical segrations between various tenants,dataleakage,insufficientdataseparation,single point of failure of services for all tenants, etc.
Different CSPs might be multi-tenant at different layers [18] e.g. one CSP might be multi-tenant at the hardware level and share a virtual machine with its subscribers and another might be multi-tenant at the database level and share the a database between its subscribers. Hence, it is vital to understand, before you go to cloud, how does your service provider handle multi-tenancy [19][20][21] .
2. Multi-tenancy
Data management is another key deciding factor for the migration strategy you adopt. What kind of data will be handled and processed in the cloud, has the dataalreadybeenclassifiede.g.SensitivePII,PII,confidential,etc.,wherewillitbestored(geo-lo-cationoftheservers),howisthedataflowing,howis it handled both when stored and when in transit, where is your DC actually located? You need to think about data management in terms of critical business processes, security, compliance, performance/latency, repercussions in case of data loss, and other risks involved e.g. how would you ensure privacy of customer data, and compliance to legal and
regulatory requirements. Is there a data lifecycle management process within the organization? Will there be a Data Loss Prevention (DLP) solution in your cloud infrastructure? With new and more stringent regulations such as GDPR and the recent Cambridge Analytica (CA) scandal [22] , transparency on data processing policies and data management lifecycle is all the more critical to business and operations. A transparent understanding and processes in place fordataflow,datahandlingandseamlessdataintegration in cloud can go a long way to prevent reputational loss or in case of a data leak, severe financialpenalties.
3. Data classification and Management
9
4. Encryption and Key Management
5. Monitoring and Reporting
There are various reasons why encryption and key management might play an important role in yourcloud strategy such as key vaults for managing secrets andkeys,encryptionofspecificdata,encryptionofentire virtual machines, etc. Furthermore, you must consider, where and how will the keys be stored? How will they be managed?Data segregation, and secure storage and management of data is critical to a public cloud environment especially due to multi-tenancy and particularly for the organizations where data breach is not only one of the biggestoperationalrisks,butcouldalsosignificantlydamage the reputation and customer trust. Majority of the multi-tenant cloud applications provide data encryption and key management features for their customers, however, for other IaaS and PaaS services the overall data governance, data security
and key management should be owned by the tenant, particularly where data loss is a great reputational risk. The organization must look into classifying data that is stored in the cloud in any form of IaaS, PaaS orSaaSmodel,andbasedupontheconfidentialityand sensitivity level establish the requirements for encryption. Another reason for encryption of data might be legal and regulatory requirements in the geographic location where the data is stored or processed. Additionally, key management is vital to provide data security. A lock doesn’t help protect the asset if the key is left in the lock or if there are multiple copies of the key laying around without proper management of the ownership, access and permission.
Logging, auditing and monitoring capabilities are as critical in cloud as on-premise. There are variousthird party solutions that provide managed monitoring and incident response services. The key deciding factors in assessing and engaging such services for your cloud environment are automation, auditing and reporting capabilities, timeliness and accuracy. There are also some challenges [23] that monitoring within the cloud environment entails. One is visibility at various levels across the cloud infrastructure. Similar to a layered approach for security defense, there is a need for a layered approach towards monitoring including IoT, network layer, physical servers, virtual OS layer, identity layer, access layer, etc. Another challenge is dynamicity and virtualization of resources within cloud. One must understand how do monitoring (SIEM) solutions
handle such technical challenges for monitoring when a machine is spun down and back up at any instance. There are various models for third-party (managed) monitoring services. For example, you could choosean on-premise MSSP that takes into account and analyzes cloud SIEM reports, or you might prefer a fully cloud-based SOC or, as a yet other option, you might choose to go with a hybrid version. These are the considerations one needs to make There are various providers that offer different versions of integration and MSS [24] as their delivery models. It is important to understand which MSS model suits your organizational and business needs the best.
10
Identity and Access Management (IAM) has been gaining more and more attention in the last years.Access is the new logical perimeter and identity a critical and valuable asset. Amongst all the securityarchitecture considerations, in my opinion, IAM is one of the the most critical security areas and can becomplicated to implement correctly and securely. With cloud technology, we don’t only need to manageidentities, accounts and accesses but also:
1. manage the context and the logical relationships between them and2. manage these across various platforms, infrastructure, third party integrations within the cloud environment. IAM as a Service (IDaaS) [25] and Cloud Access Security Broker (CASB) [26] are the latest trends. By 2020, use of IDaaS delivery model is predicted to increase from less than 20% up to 40% [16] . Additionally, 60% of large enterprises will use a CASB to govern cloud services by 2020, up from less than 10% in 2017 [27] .
While IDaaS is a cloud service that provides management of identity and access including IAMgovernance and monitoring, CASBs serve as an access broker between the cloud service provider and itsconsumers, and provides more than just IAM and identity governance. A CASBs capabilities are spreadacross four pillars: Visibility, Compliance, Data Security and Threat Management [27] . Different IDaaS and CASB solutions from different vendors provide different capabilities.
As far as IAM is concerned, one should assess the vendors and design an architecture reference model,in terms of capabilities such as:
While, IDaaS could be a lightweight and homogenous solution for your IAM, at the same time, CASBs canprovide a one-stop-shop for more security capabilities and get your money’s worth in a broader aspect.However, this trend could very well change.
1. JML (Joiners, Movers, Leavers) cycle and access request management - this is very basic and any average to good IAM tool should provide this
2.Accessrecertificationandrole-engineering3. Identity governance, monitoring and auditing4. Identity-based, conditional-based and behavior-based login and alerts5.Approvalworkflows6. Identity Analytics - analysis and discovery of access violations in order to help reduce risk7. Privileged Access Management8. Identity and context awareness across your cloud environment, etc.
6. Access Management
7. Business Continuity and Disaster Recovery
What does your Business Continuity Plan (BCP) and Disaster Recovery (DR) strategy look like? What do you do in case the recovery sites also get affected due to being located in same region or just because multiple regions of the CSP get affected by a cyberattack? Redundancy is still the key here. One approach is to have separate providers, one for BAU and a separate one for BC and DR sites. Another option could be to still use a variant of a hybrid model and use on-premise infrastructure in
case of a complete cloud service fail. The biggest disadvantage of later is latency and continuously incurring on-premise infrastructure costs even when you are mostly operating in cloud, defeating one oftheobjectivesofmigratingtocloudinthefirstplace. Another important aspect in determining the cloud based DR strategy is the legal and regulatory requirements of the DR region and geographic location.
11
Management of and investment in information security almost always boils down to managing business risks within the organization. One critical question that a CISO or CTO should ask is, ”how can I manage information and IT risks to help the management achieve their business goals while keeping the risks below the acceptable level”. Similarly, one question that the CEO, the management or the board should be invested in is, ”how can we ensurethatinformationandITrisksdonotaffecttheoverallbusinessriskprofilenegatively,understandwherethe enterprise risks could be business opportunities and ensure that the overall risks are kept below an acceptable level”.Thefollowingarethekeycomponentsofanefficientcloudmigrationriskmanagementstrategy.Pleasenote, the below aren’t components of risk management within cloud itself. However, they encapsulate the risk management framework prior to or while migrating to cloud.
a) Management Support
Do you have the business case for migrating to cloud?WediscussedthisbrieflyinPart1ofthisblog series. There should ideally be a business case that is approved by the management before your start with the migration project and implemen-tation. Similar to security projects in general, management buy-in is the most important and critical factors for success of a cloud migration projectanddevelopmentofanefficientstrategy.It is vital that objectives of the cloud migration project are aligned with the business goals. There must be a business and project risk management workshop prior to kick off the migration project, to ensure the migration strategy and plan is aligned with the business requirements.
b) Procurement and Vendor lock-in
Procurement can be a hassle particularly with respect to time and compliance. Hence, it is asmart idea to have procurement team on board, andhavethepotentialvendorsfilloutnecessaryinformation relevant for the cloud migration that is validated and approved by the procurement and the legal department. This assessment, among otherthings,shouldincludeverificationtowards:
1. Know your provider2. Pricing and business objectives3. Data governance and handling procedures4. Standardsandcertificationsadherence5. SLAs, service terms and delivery6. Security incident handling procedures7. Reliability and disaster recovery8. Support for migration to another CSP and exit planning to prevent vendor lock-in
c) Business Disruptions during Migration
In order to ensure a smooth migration to cloud, it is important that migration risks and business disruption risks are assessed and prepared for. It is important to manage and reduce risks due to changes to the production infrastructure and ensure minimal disruption to the business. The strategy used for migration depends a lot on what kind of migration is being done e.g. lift and shift, duplicating instances in the cloud, hybrid infrastructure, or adding new services to cloud, etc. In case of heavy migrations there might be a need for disaster recovery in place to spin up critical business services in case of a failure. In other cases, it might be necessary to make sure these migrations are done during non-operational window and so on.
d) Application and Data Risk Assessment
In order to design a secure architecture with the right controls in place for the business applications and data that are to be moved to the cloud, it is necessary that a risk assessment is done for each busines critical application or any application that processes sensitive PII or business critical data. Additionally, it is important do a risk assessment on how the data will be handled and processed by the third party service providers in the cloud. The security baseline for these application in the cloud should be at least as secure as on premise and for the better part of it, hopefully moresecurelyconfigured.Otherformsorsecurityassessments, reviews, pentesting, etc. could be part of this phase. Business impact, security assessment and risk assessment at this stage can also provide you the facts and details on whether you can migrate to public cloud or would you need a private or a hybrid model.Forexample,somefinancialorganizationsmight require critical banking and transaction systems to be migrated to private cloud only due to the criticality of the system and to maintain the confidentialityandintegrityofthetransactions.
8. Risk Assessment
12
Having invested a lot in security within your on-premise infrastructure, a vital question to consider might be, how do I migrate not only the applications from an on-premise infrastructure to cloud but also the critical security tools.
9. Change Management
10. Security-as-a-Service
Change management is vital before, during and after migration. This factor cannot be emphasized enough. Changes within cloud environment can happen at a much granular level and in a much faster cycle than on-premise. A good change management process, consisting of what to document, when and how to raise a Request For Change (RFC), the role and responsibility of the
change management team, among other factors, is extremely vital for good governance and security within cloud. Additionally, it brings issues into view at an earlier stage, making the transition and adoption of cloud services a much smoother experience for the organization.
There are pros and cons to each. Lift-and-shift of the existing tools might be the fastest and cheapestoption but comes at the cost of the tools not being efficientandeffectiveastheyaren’ttailoredtowardsthe cloud environment. Added concern is that of shadow IT systems. One needs to ask: Whether and how do these tools cover these systems?In certain cases, the vendors might be able to provide you an upgrade and cloud compatible (SaaS)solutions for the same tool giving you the advantage of tool familiarity however still providing coverage towards all kinds of systems and applications within cloud including IoT devices and shadow IT systems. However, this would still mean managing and maintaining numerous amounts of security and monitoring tools within the cloud environment along with managing and maintaining numerous vendor relationships for different aspects of security services that they offer. An alternative to this might be deploying CASB solutions that provide multiple security services suitable for and aligned to your
business needs.There is a third option of utilizing Security-as-a-Service (SECaaS) originating from theSoftware-as-a-Service (SaaS) model. SECaaS providersnotonlydeliversecuritytoolsspecificallydesigned for the cloud environment but also provide configuration,maintenance,managementservicestowards your risk appetite. According to the Cloud Security Alliance there are 12 categories of SECaaS [28] .Apart from having a managed service in cloud, SECaaS provides the added advantage that manyvendors provide multiple categories of SECaaS, thereby, reducing investment & operational costs, vendor relationship management whilst adding coherentandunifiedgovernanceofsecurityforyour business. The downside, as with any form of outsourcing, is that transfer of risk does not remove the business’ liability and accountability.
There are three basic options, at least:
1. Do I run the existing security tools and do a lift-and-shift?2. Do I procure a cloud version of the tool?3. Do I use and deploy a Security-as-a-Service?
13
There isn’t a silver bullet to the security considerations and the approach for your cloud migration strategy however, I hope, thisarticlewillprovideyouasolidfoundationfordefininganefficientstrategy,asecurearchitecturedesignforyourcloudenvironment and help you tailor it towards your business strategy and business needs.
No silver bullet
14
[1] https://www.gartner.com/newsroom/id/3354117
[2] https://www.gartner.com/newsroom/id/3871416
[3] https://www.forrester.com/report/Predictions+2018+Cloud+Computing+Accelerates+Enterprise+Transformation+Everywhere/-/E-RES139611
[4] https://en.wikipedia.org/wiki/Internet_of_things
[5] https://en.wikipedia.org/wiki/OKR [6] Microsoft’s Shared Responsibilities for Cloud Computing, April 2017, v2.0
[7] https://cloudacademy.com/blog/aws-shared-responsibility-model-security/ [8] https://www.csoonline.com/article/3262972/ransomware/8-hot-cyber-security-trends-and-4-going-cold.html
[9] https://en.wikipedia.org/wiki/Recovery_point_objective
[10] https://en.wikipedia.org/wiki/Recovery_time_objective
[11] https://www.asecurelife.com/the-worst-data-breaches-of-the-last-10-years/ [12] https://www.darkreading.com/risk/corporate-breaches-increase-chances-of-consumer-id-theft-study-says/d/d-id/1132275
[13] https://www.pwc.com/us/en/cybersecurity/assets/revitalizing-privacy-trust-in-data-driven-world.pdf
[14] https://www.veracode.com/security/byod-security
[15] https://www.ibm.com/blockchain/identity/
[16] Gartner, Magic Quadrant for Identity and Access Management as a Service, Worldwide
[17] https://blogs.oracle.com/futurestate/why-do-you-need-to-think-devops-if-you-are-adopting-cloud
[18] https://www.gartner.com/doc/2058722?ref=g_sitelink
[19] https://www.ibm.com/developerworks/cloud/library/cl-publictoprivatecloud/index.html
[20] https://aws.amazon.com/ec2/dedicated-hosts/
[21] https://www.ibm.com/developerworks/cloud/library/cl-multitenantcloud/index.html
[22] http://fortune.com/2018/04/10/facebook-cambridge-analytica-what-happened/
[23] https://searchcloudsecurity.techtarget.com/tip/Cloud-security-monitoring-Challenges-and-guidance[24] https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sg-mssp-cloud-security-solution.pdf
[25] https://securityintelligence.com/what-is-idaas-a-ciso-clears-up-confusion-around-the-definition-of-cloud-iam/
[26] https://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs/
[27] Gartner: Magic Quadrant for Cloud Access Security Brokers[28] https://downloads.cloudsecurityalliance.org/assets/research/security-as-a-service/csa-categories-securities-prep.pdf
References:
15
© 2018 PwC. Med enerett. I denne sammenheng refererer «PwC» seg til PricewaterhouseCoopers AS, Advokatfirmaet PricewaterhouseCoopers AS, PricewaterhouseCoopers Accounting AS og PricewaterhouseCoopers Skatterådgivere AS som alle er separate juridiske enheter og uavhengige medlemsfirmaer i PricewaterhouseCoopers International Limited.