nobeastsofierce - Fotolia
The value proposition behind the migration to cloud involves speed, agility, lower cost and, according to those who are managing cloud transitions, more security controls.
The cloud risks presented by the use of traditional security controls in on-premises and cloud environments range from no visibility into data and applications to overreliance on third-party providers for ironclad security policies and full disclosure of their security postures and incident response capabilities.
As technology journalist Jaikumar Vijayan found in his cover story, the migration to cloud services makes it harder, not easier, for security executives to keep on top of everything that is going on in the enterprise. The belief that you can use the baked-in security policies offered by major cloud vendors is a myth, SANS Institute's John Pescatore told Vijayan: "The infrastructure will never protect itself … but it will be delivered and managed differently."
While the effectiveness of existing controls depends on the cloud model -- infrastructure as a service, software as a service or platform as a service -- vendors of traditional data center tools will need to add cloud delivery to their products.
Enablement is one way to manage the migration to cloud risks. Executive Editor Rob Wright caught up with Mike Bartholomy, senior manager of information security at Western Union, to talk about the financial services provider's efforts to minimize shadow IT and provide the tools that its workforce, which is about 60% millennials, actually use. The Western Union Information Security Enablement program, or WISE, was developed to approve cloud services and build the appropriate security controls.
"We felt that was a better approach than to try to ban and block everything. So part of my job is to make sure they can use those cloud services in a safe and secure way," Bartholomy said.
As security executives work to balance the migration to cloud with on-premises security, companies should be ready to defend their actions relative to cloud risks and cybersecurity preparedness. Technology journalist Alan Earls reports this month that more companies seek board-level cybersecurity experts, especially after a high-profile breach. Legislation that could make executives and boards of directors responsible for cybersecurity preparedness, similar to the Sarbanes-Oxley Act for financial and other fiduciary decisions, was proposed a year ago and may wind its way through Congress. Either way, the debate about board-level cybersecurity expertise may offer member opportunities for security executives, particularly on audit committees.
More on security controls to limit risks during cloud virtualization
How to work with partners to collect cloud forensic data
Book excerpt: Cloud Security Alliance Guide to Cloud Computing