Why Cloud Services Should Drive your Enterprise Security Architecture
Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, AZ, which is the fourth most populous county in the United States. With over twenty-five years of higher education and local government IT experience, Lester has spoken at local, state, and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. Lester has taught at the collegiate level for over twelve years in the areas of technology, business, project management, and cybersecurity. The author of numerous trade journal and online magazine articles, he is CISM (Certified Information Security Manager) and PMP (Project Management Professional) certified. He holds a BA in Music and a MS in Technology, both from Arizona State University. His current areas of professional interest center around IoT (Internet of Things) technology and Data Management and the juxtaposition of these disciplines with cybersecurity.
Shea McGrew is the Director of Infrastructure and Operations for Maricopa County, AZ. Shea has over twenty years of IT experience at both the collegiate and local government levels. She holds a BS in Computer Information Systems from DeVry and an MBA, emphasizing enterprise information systems management from Kansas State University. Her current professional focus areas center around data center modernization, cloud services, containers, and automation.
Even though cloud computing services have been around since the mid-2000s, it’s surprising that some organizations still don’t invest the same level of security planning into cloud services as they do with traditional on-premise services. This article will explore why this is critical for all enterprises moving forward, what are some of the challenges, and what we can do to rectify this.
What’s so crucial about enterprise security architecture in the cloud? This goes back to January 2006 when Gartner introduced the idea of adding security in the Enterprise Architecture framework to help identify and reduce risk across an organization. Since then, security professionals have developed practices, such as perimeter protection and defense-in-depth that allow organizations to defend their assets and minimize risk while inside the network. But even on-prem, with a strong perimeter, one cannot achieve absolute security. So, where to focus one’s efforts?
“Cloud services bring a whole new way of delivering services to the enterprise, and while this poses its challenges in designing security, the approach we take today doesn’t need to change”
The Enterprise Security Architecture framework recommends concentrating on value and vulnerability. Where do the most valuable and vulnerable corporate assets exist? According to Techjury.net, cloud services in 2010 were valued at $24.65 billion and are projected by the end of 2020 to reach $150 billion. This investment level shows that organizations are flocking to cloud services, not just for application development needs. The cloud is now a go-to for production business processes and end-user consumption. This, coupled with the escalated adoption of cloud services due to COVID-19, points to the cloud containing not only our most valuable assets but perhaps our most vulnerable ones. According to the 2020 Trustwave Global Security Report, attacks on cloud services doubled in 2019 from 2018 and made up 20 percent of investigated incidents. It’s a safe assumption that as the use of cloud services increases, so will the attacks on them. We are dealing with a way of conducting business that we cannot afford to ignore when it comes to enterprise security architecture.
The ease in which cloud services are procured/consumed and the abstracted nature in which they are offered are the first hurdles. Instead of having a traditional server layer where all servers of a particular type are located together and configured to perform specific actions, we now have IaaS, PaaS and server less solutions for applications. Enterprise cloud service management, especially infrastructure and platform services, is substantially different from that of local networks. In the case of an Apache web server, no longer are we responsible for the whole Linux, Apache, MySQL and PHPstack. We click a couple of boxes, fill out some information, and suddenly have a web server ready for production. Many Infrastructure and DevOps Engineers have become accustomed to the traditional network perimeter providing protection, resulting in never having to think twice about security for deployments inside the network. Now they are working in a world that blurs the lines between inside and outside the network.
Another challenge related to the ease of providing these services is large, highly decentralized and/or widely dispersed organizations struggle to control the creep of services outside the network. Regardless of organization structure, virtually all organizations have and are currently struggling with departments procuring cloud services with little to no guidance from their technology teams. Often all it takes is someone with an internet connection and a credit card to set up cloud payment services. Without various cloud controls in place, all one will see through traditional firewalls is increased port 80 and 443 traffic. The ubiquitous nature of cloud services is that they are simple to procure and can be challenging to manage, leading to various levels of potential risk to one's organization, much of which may be unknown.
What We Can Do:
Continue to focus on the basics. The concept of managing risk applies the same to cloud services as it does with on-prem ones, but our approach might be different. If a prerequisite of risk management is knowing what’s in one’s environment, then we need to know what cloud services are in use. How can we manage/inventory cloud services? Technologies like CASB (cloud access service broker) can help organizations gain insight into what cloud services are being used. What about next-generation firewalls? Sure, some can tell at an application level, as opposed to port/protocol, what is coming in and going out, linking cloud services to enterprise usage. However, what about cloud services that are used by staff that never traverses the corporate firewall? Without a service/system perspective in designing and analyzing enterprise networks, organizations would continue to look at the parts that make up a service instead of the sum of those parts.
Cloud services have effectively turned the traditional model of security zones on its head. From a security perspective, how should we be designing enterprises? Architecturally, we must understand all points of ingress/egress in our network, keeping in mind that the very definition of 'network' is an amalgamation of traditional on-premise technology and cloud services. From a design perspective, micro services might be employed for development purposes or software-defined networks might be the way that your organization intends to provide secure access to services. These all need to be taken into consideration before proper security architecture can be identified and implemented.
Cloud services bring a whole new way of delivering services to the enterprise, and while this poses its challenges in designing security, the approach we take today doesn’t need to change. An awareness of how these services are consumed and the generated risks are still required to provide security architecture for our cloud-dominated future.