WavebreakmediaMicro - Fotolia
Companies and their suppliers today face a burning issue: there is a compelling business case to migrate to cloud workflows, but there is uncertainty about the security implications of doing so. Do cloud workflows require security tradeoffs and, if so, are they significant enough to delay or even prevent adoption? What is the best way to address these security concerns?
In most cases, cloud workflows tend to be a security upgrade compared to more traditional on-premises models; however, this is only true when these workflows are designed and implemented properly. In order to do so, companies and their suppliers need to understand the three most important security issues related to cloud workflows and the ways to address those issues.
Issues with adopting a cloud security strategy
Cloud does not automatically mean secure
Cloud certainly provides many benefits, including the geographic distribution of data centers, massive financial investments in hardware upgrades on a frequent basis, robust physical security and so on. The security landing pages for major cloud providers typically outline the many investments they make in security testing and compliance. These pages describe the ways in which they deliver a variety of security features, such as encryption, monitoring, audit trails and more.
However, robust security is not delivered automatically just by utilizing the cloud. Instead, the workflow must build security into the deployment configuration; otherwise, these benefits may be lost or undermined.
Collaboration varies by industry, but all collaboration entails risk
Most industries require some level of collaboration between stakeholders and vendors, with the extent of collaboration considerably higher in some industries than in others. Such collaboration requires enhanced levels of trust and access, and these conditions inherently increase the level of risk to the valuable assets about which stakeholders care most.
Cloud security is a core business discipline.
Security is a core business discipline, not just a technical one. Migration to the cloud entails an array of critical business decisions that affect business units and organizations across the enterprise, including the vendor ecosystem upon which the enterprise relies.
This is drawn in sharp distinction to an outdated model whereby organizations considered security as a purely technical issue -- one that could be delegated outside the purview of executive leadership. Given that security is a core business discipline, the business must therefore consider security in not only its cloud strategy, but also in its overall corporate strategy.
How to mitigate cloud security strategy issues
In order to effectively address each of these cloud security strategy issues, stakeholders and their vendors can pursue a handful of effective security actions.
A threat model is an exercise that an organization carries out to identify three primary components of its security model: assets the organization wishes to protect, adversaries the organization wishes to defend against and the attack surfaces against which the adversaries may launch their malicious campaigns. The threat model thus becomes the basis for decision-making for the security mission, including how and why to invest resources, how to understand risk in the business context and how to define success.
In contrast to a threat model -- which outlines the relationship between the stakeholder and the adversary -- a trust model defines the relationship between the stakeholder and the vendor. This includes why the organization trusts the entity, how trust is provisioned and how trust is revoked.
A trust model empowers an organization to make sound security decisions about the high level of trust and access collaboration requires.
Every stakeholder is unique and every vendor is unique. Taken together, these conditions mean that all workflows between stakeholders and vendors are going to be unique. Therefore, while utilizing a set of guideline controls is always a good starting point, every workflow must be tailored to the unique needs and conditions of the relationship between the stakeholder and vendor.
Of paramount importance to that workflow tailoring is accounting for adjustments in threat models and trust models, as well as all the security considerations that may result from the unique relationship between the stakeholder and vendor.
How to implement a cloud security strategy
Organizations that want to implement secure cloud-based workflows must consistently assess and monitor their cloud service settings for misconfigurations and, in so doing, include a detailed trust and threat model as a part of their planning and deployment. Wherever necessary, organizations must tailor their workflows.
Now is the time to grasp the distinction between what cloud providers deliver versus what stakeholders must deliver in pursuit of a robust security posture, to recognize why collaboration affects risk, and for all organizations to treat security like the core business discipline that it is. If we can do these things, we can resolve much of the uncertainty around the security of cloud workflows and arrive at a state where the many benefits that cloud delivers can be obtained.