A large technology consultancy with thousands of employees spread across north America and Europe is now approaching 99% cloud deployment for their applications. The consultancy believes this is the right solution to provide flexible and secure application deployment for their widely dispersed user community.
The migration from on-premises to cloud-delivery began a decade ago with email, which needed upgrading, but the firm found it was difficult to expand their physical server room. It took some work to find the right vendor and the right solution but, in the end, they saved money, and soon they added cloud-based CRM, as well.
Because the consultancy was also growing crazy fast, they needed to quickly add capacity. Soon they looked to the cloud for every new upgrade and app rollout. Their first true cloud environment was nailed up via an IPsec VPN to an early cloud player in the infrastructure-as-a-service (IaaS) business. They put a virtual Active Directory server up in the cloud to manage authentication, authorization, and accounting (AAA), and things just took off. As this grew, they found they could deploy databases, web servers, applications—whatever the consultancy needed. The capacity was there with many of the security tools they were familiar with already.
One of the consultancy’s biggest security concerns was uptime, which they solved by finding a strong cloud vendor. Disaster recovery (DR) and business continuity are always big challenges, especially for a globally-dispersed and fast-growing organization like they had become. The trick was to make sure their cloud providers could match their requirements. This meant taking a lot of time to review contracts and service level agreements (SLAs) at the outset and then holding the providers’ feet to the fire when promises did not match reality. A bad cloud provider could negatively impact uptime if their expectations are different from your own. For example, most organizations know how good or bad their own DR capability is, but for a cloud provider, it can be a mystery. Also, some interesting problems can creep through the cracks in ways you don’t expect. Having short outages of just several minutes randomly throughout the workday can be worse than one big long outage. This is especially true for non-real-time services like email, where you might not notice when messages aren’t getting delivered. However, some cloud provider SLAs are written to cover longer outages rather than the short ones, so read carefully. This is especially true with platform-as-service (PaaS) cloud providers who are serving a single application and the vendor is more a niche (and therefore smaller and possibly weaker) player.
For the consultancy, managing access to their cloud was also a challenge, especially since they has a mix of consultants and developers. Many people needed a wide range of access capabilities, and many needed full access to their own boxes. For this they turned to role-based access control to ensure people got what they needed on only the systems they needed and nothing else. Luckily powerful security tools are available to do this. As needed, the consultancy can require multi-factor authentication (MFA) at the beginning of a session and then turn that around into single sign-on to ease access throughout the user workflow. This was especially helpful for those with elevated access as they could strongly authenticate them right off the bat.
As for detective and monitoring security tools, most large IaaS vendors provide virtual networking capability, which the consultancy tapped for packet capture and analysis. PaaS vendors are used differently, but most provided detailed audit logs on user logins and actions which they needed for audit purposes. Some large IaaS vendors also provided additional monitoring alarms to help with pesky things like developers accidently dropping authentication credentials into public code repositories.
One major challenge for the consultancy was dealing with different cloud environments. Some cloud vendors who have multiple offerings can have different knobs and gauges for their varying services. The consultancy’s security operations team would learn how to lock down and monitor something in one service area, only to find that things worked much differently in another. Then there are the frequent upgrades within the service, which can change the look of a console or add new features. Even within the same cloud provider, it can be like managing security for different applications and environments. This can lead to complexity and blind spots in security. It gets even more difficult when there is a mixture of different cloud vendors. To this day, there are likely additional security capabilities that the consultancy hasn’t taken advantage of yet because they haven’t had the time to learn them. To help with this, it’s best to ensure someone on the security team attends cloud provider training sessions and conferences.
The last big challenge in the cloud is compliance. Commonly, most cloud providers certify their platform up to a certain level and then from there, you need to deal with additional risk and compliance requirements. Cloud providers don’t cover it all. That boundary and the accompanying responsibility is sometimes misunderstood by newcomers or executives. All things being equal, a non-technical person will just assume because XYZ Cloud has passed a particular audit, they think they’re done with security and they can rest. That’s almost never the case.
Overall, the consultancy’s journey to the cloud has been a game-changer for their organization. The lessons they learned along the way have helped make them a better and more valuable organization for their customers. The security program has only grown stronger, as well.
MODIFIED: Jan 18, 2018