Canadian CIOs are increasingly moving more workloads to the cloud, particularly now that Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) have data centres here. That’s in part why IDC Canada forecasts that managed cloud services spending in Canada will grow from US$1.0 billion in 2017 to US$1.6B in 2021, which will be compound annual growth of 14.1 per cent.
However, IT leaders aren’t moving everything to the cloud. So-called Hybrid IT will be an enterprise strategy for a long time. That means CISOs have to be on top of their game to ensure there aren’t any security gaps. Amongst the problems is the infosec and cloud teams have different tools and priorities.
In a recent column Travis Greene, identity solutions strategist at software provider Micro Focus identified five issues CISOs with mixed environments have to deal with:
1. Threat Detection and Analysis: Do you have a consistent way to visualize and analyze threats across different computing environments?
2. Vulnerability management: Does your app development team apply the same rigor to testing code for security vulnerabilities for cloud applications as they do for software running in your own data centers?
3. Privileged user management: Who is watching and managing what your privileged users have access to and how they are using that access?
4. Access controls and authentication: Access controls for the cloud are often times less integrated with identity systems than legacy services. That’s why sometimes staff who leave still have access to cloud services. Is there an integrated identity and access management system across cloud and legacy systems?
5. Identity Governance: Most enterprises have significant identity governance and administration capabilities for their legacy apps, but SaaS services are usually on an island in many environments. Are you reviewing the rights to your cloud apps with the same rigor applied to legacy apps?
“Maintaining consistent security controls across the entire hybrid IT environment is growing increasingly complex as more cloud services are adopted,” warns Greene. “And as these cloud services interact with data maintained on legacy systems, simultaneously multiplying risk, attackers can identify more opportunities to exploit the gaps in security coverage between the systems.”
Security is a balance between protecting the enterprise, meeting compliance obligations and speed to deployment. Adding cloud only complicates things. Some IT leaders are pressured to adopt cloud to meet the demand for speed. That doesn’t mean security has to take a back seat.
It’s the time of the year when some CISOs make new year’s resolutions. A good one might be to review your hybrid cloud strategy.