Just last year, at the 2015 RSA Conference in San Francisco, I heard many attendees say, “We’re looking into the cloud.”
“If you’re only looking into the cloud right now it’s probably too late for you,” said Chad Rubin, director of information security, Publicis Groupe in our conversation at the 2016 Security B-Sides Las Vegas conference. “You’re probably already in the cloud. People have already gone over your head and they’re already hosting things there and you just don’t know about it yet.”
The business will look for what is most cost effective for them, not necessarily what is most secure. You need to work with the business to create a cost effective solution.
If you don’t, warned Rubin, the business is going to go over your head and you’re going to have cloud instances you don’t know about. If you do know about where your business is in the cloud, then you can actually apply security policies.