When implementing best practices for cloud security, it is imperative that organizations view the cloud as an extension of their own environment, according to Anil Markose, senior vice president at Booz Allen Hamilton.
Markose spoke with SearchCIO at the recent RSA conference and in this Ask the Expert describes his top three best practices for cloud security. He explains that it is very important for organizations to know what data they are storing in the cloud and stresses the need to negotiate an effective cloud service contract.
Editor's note: This interview has been edited for brevity and clarity.
What best practices for cloud security should companies adopt?
Anil Markose: First is understanding what is in the cloud. Some organizations don't even realize that an application that they thought was on premises is actually a SaaS application. They don't understand that the back end is in the cloud already. There should be some level of governance around what is going into the cloud and what your cloud presence is. The one big key around that is that the old days of shadow IT are happening all over again because the business now can go directly to AWS and open up an environment and buy whatever service they want. It's almost like the internal IT organizations are competing with an external vendor for the same services. It is really about understanding what exposure you have in the cloud.
Once you know that, the second is you have to understand what data is going into the cloud. I'd say in most cases an organization cannot tell you how much of their environment is in the cloud. If you don't know what's in the cloud, you definitely don't know what data is in there. Now you have a secondary problem: Do you have a regulatory compliance issue? Do you have a potential data breach issue that you don't even know about because sensitive information that requires reporting is actually not under your control anymore?
Anil Markosesenior vice president, Booz Allen Hamilton
And then number three is, when you go into those types of situations are the contracts set up correctly? Do you have the right risk management in place? If something bad were to occur, who's liable for that? Nine out of 10 times that company is definitely liable for it. But they have absolutely no control over how they're going to fix the situation, or they're at the mercy of that cloud provider or the SaaS provider. And so it is things like: Can you get cyber insurance? Can you get different things put in the contract to kind of hedge your risks around it?
Also, when we talk about the attack surface most organizations will still look at it as their SOC is worried about the enterprise IT, and then they have this secondary program that does cloud security stuff. Why would we treat the cloud differently than an on-premises environment? It's just an extension of the attack surface.
It is important to think about the cloud as an extension of your environment. You should provide the same level of control, security and visibility in the cloud as you would on prem.
Dig Deeper on Cloud computing for business
Related Q&A from Mekhala Roy
Fidelis Cybersecurity president and CEO Nick Lantuh discusses threat hunting best practices, including machine learning's role in corporate data ... Continue Reading
At the recent Gartner Symposium, analyst Arun Chandrasekaran highlighted the benefits of serverless computing and delineated the factors driving ... Continue Reading
In this Ask the Expert, Lumentum SVP and CIO Ralph Loura highlights two key factors to consider when choosing among public cloud giants AWS, Azure ... Continue Reading