When making the move to the cloud, security is always going to be paramount. But what should be a move forward for an organisation’s digital plans, can quickly become a backwards step if security is an afterthought. That is why we (The Instillery) talk so much about Velocity with Confidence. Going fast is great, but ensuring you have the right protections in place allows you to continue at pace without missteps.
We’ve collated some simple tips to help government departments consider how to approach security, regardless of the cloud platform(s) you may be using.
Don't assume it's secure
The most fundamental point to start with is to assume that no platform or provider you use is inherently secure. Whether it is private infrastructure, local IaaS platforms or public cloud, all carry risks. Rather than assuming a level of security, review your security responsibilities against the cloud provider’s responsibilities. A good cloud provider will offer a clear shared responsibility matrix, which outlines what they are responsible for, and the areas which you remain responsible for.
Apply NZISM top down
Rather than expecting an application will inherit controls from an infrastructure platform, instead start applying controls from the application layer down. By building controls in at higher levels of the application layer, such as encryption of data, granular access controls and integrated logging, you can negate the majority of risks that may come with compromise of a network, infrastructure or physical layer. By abstracting security from the platform, you also ready your application and data to be more portable.
Perform a PIA & Security Assessment
A Privacy Impact Assessment is a great way to work through the details of how an application functions, documenting risks and implementing mitigations. With this detail laid out, security assessments can be targeted at areas of identified risk. This can result in the rework of how an application functions, the business process and controls in place, and operational procedures. A PIA will provide a documented review of an application against the privacy principles in the Privacy Act (1993). Consider creating a publicly available version of the report to provide transparency, and ensure it is of a quality to stand up to scrutiny.
Assess new security technology & products
A common misconception with public cloud is that the deployment of a firewall appliance will secure your environment. In fact, you do not control the network perimeter for a number of public cloud services including the management console, rendering a firewall entirely redundant for this purpose! Public cloud provides a number of features you may not get from an IaaS provider or private infrastructure such as fine-grained API controls, built-in encryption, IAM integration and granular logging for services. This means you can automate a number of security and compliance functions, leveraging these controls to create a more secure environment. Cloud security has a growing market of technology and products that take advantage of these security features and reduce manual effort to secure the platform.
Moving to public cloud is often the catalyst for reviewing decades-old security practices, resulting in better overall security from the application right through to the platform on which it runs. The tips we have collated provide a starting point for working through the process of understanding the security of your applications and data, regardless of where they may be hosted.
For more information or to talk about working with The Instillery, please contact us here.