If you are currently running an on-premise or hybrid environment with an eye to eventually making a complete transition to the cloud, you may be feeling a bit overwhelmed by everything that needs to change in order for your security posture to be appropriate for this new environment. In this post, we’re going to explain how you can start where you are, take small but meaningful steps, and still make important progress toward where you want to be — operating securely in the cloud.
Without trying to boil the ocean, here are five key steps you can take to gently kickstart your transition toward a fully secure, all-cloud environment, no matter where you are today.
1. Know Where You Are in Your Journey
First of all, you need to be honest and clear about where you actually stand today. How much of your environment is on-premise right now? How much is in the cloud? How much of each is secured according to relevant best practices?
If you do have a good portion of your infrastructure in a public cloud, then you’ll want to take stock of how far you’ve come with meeting best practices for that particular environment. For example, if you have some applications running AWS, then you might want to take our security assessment, which will enable you to audit your cloud infrastructure in minutes and obtain a very clear sense of what the best next steps are to increase your security maturity.
Regardless of where you are in your journey, being realistic about your current stance is essential to making decisions that will help you steadily improve over time.
2. Understand There’s Security for Organizations of Every Size
One misunderstanding that we commonly run into is the idea that security maturity and organization size necessarily or naturally correlate. In some cases, this notion can be used as an excuse to put off a proactive approach to security. Some smaller organizations, for example, presume that they don’t need to prioritize security in the early stages of a company’s development. They’ll have plenty of time to do it later — and anyway, no one’s going to target an SMB, right? (OK, you’ve probably read the headlines and know that this is far from the case.)
The fact is, how seriously you take security should have little to do with the size of your operation and a great deal to do with the risk of ignoring security. Depending on your industry sector, customer type, and risk factors, there are most likely some very compelling reasons to start your security journey sooner rather than later. We don’t say that to fear monger, but rather to convey the reality that, whether you’re ready to start taking security seriously today or not, putting it off indefinitely is not the best approach.
3. Make Environment Visibility Your Goal
When you start thinking about security — what tools to adopt, what best practices to follow, where to focus your energies — it can be overwhelming. We believe it helps to have a central goal that you are working towards. And when it comes to security there’s really no better goal than the visibility of our entire environment.
As you start down the road of moving from on-prem to the cloud or a hybrid environment, you may wonder: Where did my visibility go? Part of the answer is actually: You don’t manage some of it. You can trust AWS or other cloud providers to handle things like cabling, attenuation, VLAN configuration, and website throughput. That won’t need to be on your plate anymore.
But of course that’s not the world’s most satisfying response, and the other half of it is good news: You’re going to have more visibility than ever before into the things that really matter.
How? Well, in the cloud, you need to focus on gaining visibility at the workload layer because that’s where all the interesting and relevant data will be coming from. So when you do start building security policies and choosing security tools (which we’ll cover below), put visibility at the heart of every decision you make.
4. Choose New Tools Wisely
You may not be ready to go out and buy a cloud security solution (or multiple solutions) this very moment. But if you are in the cloud or moving toward it, you should at least be thinking about what tools you will choose. For one, you’ll want to budget it out ahead of time so that when you inform your boss that it’s time to move to the cloud, you can quote the costs clearly and succinctly and get the approvals you need with minimal red tape. For another, you’ll want to make sure that you are planning ahead and choosing tools that work well together and that suit your environment.
In 5 Considerations for Evaluating a Cloud Security Solution, as the name suggests, we cover key considerations you need to take into account when evaluating a cloud security solution. We recommend you look for ones that:
- Adhere to the shared security responsibility model
- Are built by security experts you can learn from
- Are well-designed and tested for your industry
- Offer APIs and integrations
- Can help you make the transition from on-prem to the cloud
These five criteria (alongside VISIBILITY) will help you plan to purchase and implement solutions that will make your journey to cloud security as seamless as possible.
5. Build a Realistic Roadmap
Finally, one of the best pieces of advice we can offer to organizations that are thinking about adopting the cloud and want to do so securely is to plan methodically. Whether you’ve already started your journey, are planning to start tomorrow, or it’s a year down the line, a detailed roadmap will give you the clarity you need to make good decisions now and plant the seeds for a robust and successful cloud implementation.
We’ve written before about how to establish a roadmap for AWS security, but this framework applies to any security journey.
The key steps to keep in mind are:
- Understand the shared security responsibility model as it applies to the cloud. (It’s quite different from the on-prem way of thinking.)
- Build a cloud security maturity model for your organization and track your progress over time.
- Make security and compliance twin goals in parallel as you move forward. (Don’t ignore either.)
- Always consider how you will scale as you go forward.
These four steps will help guide your planning process and ensure that, no matter when kick-off is scheduled, things will go much more smoothly than they would if you took a less structured, more ad hoc approach.
Continuous Improvement Is the Name of the Game
Finally — and hopefully we aren’t starting to sound like a broken record — make continuous improvement your security mantra. There’s no way to get it all done today, tomorrow, or even this year. Security not only takes time, but it’s a constant, ongoing process.
If you build a clear roadmap that is realistic about where you stand today and where you need to get to, then you can focus on continuously becoming more secure each day. As they say, it’s not about the destination, but the journey to get there.