Cloud Adoption: How to Enable a Secure Architecture

Cybersecurity must be a forethought, not an afterthought for application and data security architectures. Security has to be “baked” into your application development process. Before you build applications, migrate applications to the cloud, and modernize your applications, the cybersecurity team must have a seat at the table from the very beginning.

Data Security 

Let’s start with your data. Why is this? The data is what the bad guys are after. Data is the oil & engine that drives business. A lot is at stake here. The design of data security strategies requires the understanding and use of critical technologies. Technologies provide safe use of data in the cloud and provide you with a way of protecting and securing your data.

It’s essential to understand your data before you can begin to protect it. Besides, you’re accountable for securing your cloud data, the privacy of your data, and the governance in the shared security model.

Begin with performing data discovery & classification to determine your location and the sensitivity level for your data (e.g., confidential, public, sensitive, and private). Upon completion, consider those outcome factors and design a security strategy for your data.

Encryption is an important technology to consider and use when implementing systems that will secure data storage and usage from the cloud. Of course, the use of data encryption will depend on your use cases. Consider implementing encryption for data-at-rest, data-in-motion, and data-in-use.

Data-at-Rest (DAR)

When data is archived and stored, different encryption techniques are available. Consider encryption for storage types you choose: (e.g., volume storage, objective storage, database storage, etc.) Don’t forget about Key Management. Ownership and control of your keys support the concept of “you own your data” and comply with your part of the shared security model. Key management should match the sensitivity of your data security needs. Here are three management options to consider:

• Confidential data = BYOK – “bring your own keys.”
• Sensitive data = KYOK – “keep your own keys.”
• Consider an HSM – Hardware Secure Module to manage the distribution, processing of encryption/decryption.

Data-in-Motion (DIM)

When data moves in and out of the cloud for processing, viewing, or sharing, it’s crucial to protect data as it traverses across the internet. Technologies for encrypting data in motion are mature and well defined, including IPSEC or VPN, TLS/SSL, and other protocols.

Data-in-Use (DIU)

Data that is being used, processed, or viewed by users is called data in use. Data encryption technologies for this focus on Digital Rights Management, Data Leak/Loss Protection technologies. Typically, access to data should be for authorized users.

Application Security 

Managing your applications is critical to the security of the applications and their data. It’s important to use technologies that address risk, vulnerabilities, and threats to your applications. The collaboration of the Cybersecurity team working with the DevOps team is called SecDevOps. The goal is to develop a culture and environment where building, testing, and releasing software can happen rapidly, frequently, reliable, and securely.

Ensure that you don’t have vulnerabilities in your code and production applications. Securely testing software before and after it hits production is a common practice. So, scan your applications using Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) technologies.

Identity & Access Management

Consider identity and access management controls and enforce the principle of least privilege in Cloud Infrastructure. Managing users connecting to your cloud environment is essential. You want access controls to resources based on the answers of “who are you and what do you have access to?” Consider Single Sign On (SSO), Multi-factor Authentication (MFA), Privileged Access Management, and Federated Identity Management to increase security for entities with an identity (e.g., users, devices, code, organizations, and agents.)

Network Security 

Cloud, by its nature, is always on and always accessible, offering users widespread access to resources, data, and other assets. The goal is to keep threats outside of the perimeter of your network while allowing authenticated users access to your network. Ensure that you protect your cloud network from internet threats using perimeter security controls. Technologies for perimeter defenses are (e.g., web application firewalls, SIEM technologies, firewalls, Intrusion Detection Prevention, honeypots, secure gateways, DDoS, etc.)

Conclusion

Take a holistic approach when designing application and data security architecture. This is not a comprehensive list of recommendations for your architecture, but it’s the basic building blocks. Involve the security team early in the planning and decision-making stages. Security can help business and technology teams make the appropriate internal risk management decisions. Don’t make cybersecurity to be an afterthought. If you do, it may have a negative impact over time.