Yet once again, one of the biggest buzzwords to be thrown
out there in our world of Cyber is “Hygiene”.
Actually, I don’t think this term actually started to gain root until
when everybody started to work from home, when of course, security was a huge
mess.
But when we hear of this term, the images of people working directly
at their computers or perhaps even going to the office to access stuff, in a
safe and secure manner (really? LOL).
But Cyber Hygiene is actually an all-encompassing term which
embraces all forms of both digital and physical assets. Long story short, it simply refers to the
fact that you are abiding by the security policies of your company, and trying your
best in not becoming a victim. But this
term can also apply to the Cloud as well, and how safely you access stuff.
For example, suppose you are trying to access a VM in
Microsoft Azure to gain access to some shared resources. In this regard, are you still following your
company’s security policy? Hopefully you
are. But keep in mind that as the near
99% Remote Workforce is now going to be with us for a long time, Cyber Hygiene in
the Cloud is going to become a key issues.
Here are some quick ways in which it can be addressed:
1)
Determine exactly what you have in the Cloud:
With the COVID-19 pandemic, many
businesses in Corporate America have a made a total, 100% transition to the Cloud,
whether it is the AWS or Azure. Of
course, there are still some that are reluctant to make the transition over,
and some prefer a mixed approach where some assets stain the Cloud and some
stay On Premises. But no matter what you
are using, take inventory of all of the assets that you have deployed to the
Cloud. All those controls that you have
deployed On Premises now have to be moved over to the Cloud as well. Remember, the GDPR and the CCPA just doesn’t
look for stuff On Premises – they look to make sure that all appropriate and needed
controls are also deployed on your Private or Public Cloud as well. To keep things efficient, try to use the same
methodology that you use On Prem for the Cloud as well as when it comes to
asset categorization and risk level.
2)
Determine the effectiveness of those controls:
Although the same sort of controls
will be required for the Cloud as to what you had On Premises, you still need
to make sure that they are working the intended way either in AWS or
Azure. Although the controls should work
fine, there still may be some adjustments that are needed. One good approach is create a sandbox environment
first, and test those controls there first before you move them into the production
environment in your Cloud Infrastructure.
A good framework to help keep all of your controls would be to use what
is known as the “Cloud Controls Matrix” that is available free from the Cloud
Security Alliance. You can download it at
this link:
https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/
3)
The transition to the Cloud:
Suppose you have an On Premises
Server and have migrated that over to the AWS or Azure. Once that process has been done, your new VM
could be set up differently, and the way you access stuff in it could also
change as well. In fact, you may not
even move everything over, depending upon how old your data is what the exact purpose
of the new VM is. So, whenever you have
made the move over completely, take stock of what each new VM is actually
doing. For example, is one just being
used to serve the company Intranet, and the other is a database server? Of course, all of them will need protection
via the controls, perhaps not all of them will have to be so strictly
enforced. Perhaps the server with the company
pages does not need to have as many controls associated with it as the VM which
houses the database server? The reason
for this is that although there is a plethora of benefits with a Cloud based
structure, you are always going to be charged with how much resources you are using,
technically known as “consumption”.
These costs can add up quickly, so you need to allocate resources accordingly.
4)
Keep everybody informed:
It is important to note that as you
get deeper into this process, all key stakeholders, especially your employees
need to kept informed of what is going on.
Of course, you do not want to give out all of the details, but employees
will feel much more empowered and motivated to maintain a strong level of Cyber
Hygiene, whether it is remote, On Premises, or in the Cloud. You also need to remind that the same
security policies apply in all kinds of environment.
My Thoughts On This
Remember, moving to the Cloud is not an easy task, especially
if you have a large organization. It
should be noted that it should be done in phases, especially when it comes to
moving the controls over. It is always best
to hire a solid, reputable Cloud Services Provider (CSP) that can pretty much
do all of this for you, as they will have the experience.
Best of all, they can continue to oversee your new Cloud
environment after the migration has been completed, and all of the security aspects
of it as well.
In this regard, many CSPs are now focusing these services
onto the SMB market exclusively . . . this making it much more affordable.
No comments:
Post a Comment