Rising to the Security Challenge of Heavy Cloud Adoption
Many enterprises have decided on a “cloud first” strategy, or have seen heavy cloud adoption evolve spontaneously as their business units embrace cloud for cost savings, agility or other competitive imperatives. Security teams face challenges controlling, influencing or enabling cloud adoption. This document provides guidance on how IT security leadership should deal with the challenges of strategic uncertainty, regulatory compliance, shadow IT, fragmented security infrastructure and agile development and devops practices.
1 Management Summary
If it is the goal of information security to enable the business as well as protect it, then traditional security responses to cloud computing adoption are frequently failing. Great challenges – strategic uncertainty, regulatory compliance, shadow IT, fragmentation of IT security and a lack of IT agility – afflict enterprises and their security organizations.
The right approach to better align cloud security practice with business needs varies with the type of organization. The further one moves from a single-country business with centralized IT governance and a buy versus build software sourcing strategy, the greater the challenges from the cloud. Multinational corporations with decentralised lines of business that build software as well as buy it face the most acute challenges. In fact, their group security organizations find themselves in the eye of a perfect storm.
This Note provides a broad set of high-level recommendations for aligning modern security organizations, architectures and strategies with an IT Cloud Strategy to enable business. The large multinational in the perfect storm must address all the recommendations, but other types of organizations should consider them on a case-by-case basis as well. The Note provides actionable advice for security organizations on how to:
- Engage with multiple stakeholders in an actual or virtual IT Cloud Strategy team
- Determine the primary cloud direction and governance model
- Understand the enterprise’s application hosting guidelines
- Help implement cloud management and assurance frameworks
- Optimize protection for cloud networking and mobility
- Optimize cloud identity and access management