Securing the Journey to the Cloud
Climbing to the top of a mountain and standing above the Clouds is an exhilarating feeling. The journey to climb above the Clouds and reach the goal of the summit can also be filled with risks that need to be managed to prevent climbers from getting hurt or failing to reach the summit. Similar to the risks on a mountaineering expedition, the journey IT leaders are facing today in transitioning their organizations to the Cloud introduces risks that must be managed. The transformation of information technology over the past few years has accelerated faster than any time in history. This transformation is making our enterprises and employees more agile and has the ability to allow us to focus on accelerating the pursuit of our enterprises core missions and objectives. The transformation also has introduced increased security risk to our enterprises.
3 Factors Impacting the IT Security Landscape:
1.Increasing Threats and Vulnerabilities (External and Internal)
Today’s IT journey is like climbing a big mountain that we have never climbed before with many objective hazards and risks. In mountaineering the threats can be avalanches, bad weather, or mistakes made by climbers. The current IT threat landscape is like a mountain in the middle of a storm with strong winds, heavy snowfall, and high snow accumulation that has the potential to avalanche at any moment. The vulnerabilities and attacks IT organizations need to protect against have increased exponentially including Ransomware, spearfishing, social engineered attacks, malware, denial of service attacks, and government sponsored cyberattacks. We here about new IT security breaches every day in the news. Today’s IT organizations are like climbers moving up a mountain valley, surrounded by steep slopes on all sides, and not knowing from which direction or when an avalanche will strike in the form of a cybersecurity attack.
2. Mobility
Imagine taking a mountaineer, tying them into a rope, tethering the rope to a fixed anchor in the ground, and then telling them to climb. Sure the mountaineer would be safe, but the mountaineer would only have the ability to move the length of the fixed rope and not have the freedom to climb to their full potential and reach the summit. Successful mountaineers obviously don’t use the tethered approach, instead we use a combination of systems, equipment, and protection to create dynamic systems to increase mobility while simultaneously providing protection.
The old school work environment was centralization in terms of talent, technology, and information. This old school environment was like taking our employees and tethering them to a fixed anchor. In the past decade leaders have realized that the knowledge worker values freedom and flexibility. We have given our teams more autonomy in terms of where and how they perform their jobs. We have essentially set our teams free on the mountain and given them the autonomy to climb higher and pursue the summit dream. Business leaders have changed how they allow workforces to get the job done. As a result, IT leaders need to adapt and apply new security systems and processes. IT leaders need to eliminate the old school fixed anchor approach and use dynamic systems so the end user forgets the rope even exists.
3. Cloud
Reaching the summit of Mount Everest requires a larger support organization and is an endeavor that is almost impossible to achieve solo. Climbers rely on Sherpa to help carry loads of food, equipment and gear. The Sherpa will carry supplies to camps to support the summit attempt. The Sherpa also fix some shared protection and safety systems in portions of the climb that can be partially relied on by the climbers for security. By leveraging some shared climbing safety systems, it increases speed and efficiency for all the climbers on the mountain. Despite the fact that some protection is in place it is still the accountability of each climber to protect themselves and verify the validity and safety of the protection.
Cloud providers are like the Sherpa and shared systems of Everest. The IT Cloud has changed how and where we run our workloads. The adaptability, flexibility, and elasticity characteristics of cloud environments provides a platform for IT organizations to more effectively respond to business requirements. The challenge Cloud technology has created for IT leaders is that unlike the old school traditional IT environment were everything was centralized in our own data centers, we now rely on outside service providers for the hosting and transportation of our data. Cloud providers can help IT spread out workloads and increase IT leaders’ capacity and efficiency to accomplish the organizational goals. Despite the fact the IT leaders may outsource workloads, services, and data to Cloud providers it does not relegate IT’s responsibility to protect their organizations information. IT leaders like mountaineers on Everest are all accountable for their own information and data security.
3 Lessons from Mountaineering applied to our Cloud Security Journey:
1. Lesson One – Environmental Awareness
Mountaineers must protect themselves for objective hazards and risks including weather, falls, human error, or avalanche. The mountaineering expedition leader is responsible for being aware of both the internal and external risks that can put the climbing team in jeopardy. If a climbing expedition leader sees bad weather, or a team member is doing something unsafe, or a high probability of avalanche on the mountain, it is the climbing leaders obligation to protect the team. The climbing leader needs to do this in a way that doesn’t make the climbers feel like they are unjustly being held back from the pursuit of the summit. The leader needs to communicate and explain why a system is in place or an action is being taken. The climbers need to know why they are not being allowed to climb or do something. IT leaders, like mountaineering expedition leaders, are responsible for assessing the IT threat landscape and informing end users. For IT leaders the threat could be Ransomware, spearfishing, social engineered attacks, malware, DDoS attacks, or government sponsored cyberattacks. IT leaders must protect the organization and end users while simultaneously helping end users pursuing the organizations mission and goals.
2. Lesson Two – User Awareness
On every climbing expedition that I have taken part in, our teams always begin with a review and briefing. We discuss the route, style of climb, the climbing systems we will use, the potential risks and hazards we may encounter on the climb. We also do a review and training of the safety systems used on the climb including the knots, protection equipment, and systems. On a climbing expedition it is paramount that the climbing team members have the skills to protect themselves and the rest of the team.
End user awareness and training on security threats, vulnerabilities and purpose of the systems is a crucial element to any successful Cyber Security program. The end users in our organizations do not need to understand all of the inter-workings of the complex security technology, but they do need to understand the risks, the purpose of the system, and their role as an end user in protecting the organizations data. IT leaders are responsible for creating End User awareness around Cyber Security.
3. Lesson Three – Right Equipment
In mountaineering unforeseen external factors or human errors may occur and threaten the expedition at any time. Mountaineers must assess and identify the right equipment and technology for the job including climbing ropes, climbing protection, carabiners, and proper clothing to protect them from the specific challenges and risks that may be encountered on a mountain. Likewise, IT leaders need to assess the threats and vulnerabilities specific to each organization. Once IT leaders have identified the vulnerabilities and threats, the next step is to look at what the right tool sets are to secure and protect the organization. There is a broad set of security tools including Insider Threat Protection tools (i.e. Varonis), logging and analytics SIEM tools (i.e HPE Arcsight, RSA, or Splunk), Wireless Access and Policy Management (i.e. HPE Aruba Clearpass), Cloud Access Management (i.e. Microsoft Azure AD), Unified Threat Management Solutions (i.e. Fortinet), Next Generation Firewalls (i.e. Fortinet), Enterprise Mobility Management (i.e. VMware Airwatch) or Network Virtualization/Micro-segmentation (i.e. VMware NSX). IT leaders need to understand the specific vulnerabilities and threats facing their organization, define the requirements, and select the technology that best protects against the specific organizational vulnerabilities and threats.
As we move along the Journey to the cloud we need to ensure as IT leaders we are focused on environmental awareness, user awareness and deploying the right technology tools to protect our organizations. Our goal as IT leaders is to help our organizations and end users safely, securely and successfully reach the summit.
If as an IT leader you are trying to increase security awareness with the non-technical end users in your organization, please share this article with your team to help improve awareness and the security posture of your organization. The more awareness that IT leaders can drive end user awareness the faster we will all get one step closer to securing our enterprises
By Tim Igo
About the Author: Tim Igo is an 18+ year veteran of the IT industry and has helped hundreds of clients across multiple verticals and industries successful accelerate the adoption of new technology solutions to create business advantage. In his personal life Tim is a mountaineer that has successfully climber Mount Everest and the 7 Summits reaching the tallest point on each continent.