Oh, Great and Powerful Cloud, I Wish to Be Free Of The Burdens Of Infrastructure!

By Craig Burland, CISO, Inversion6

The Cloud’s booming voice, stunning light show and smoke fill the room.  “Faster! More agile! Cheaper! Business aligned! Strategic! I have the answer to all your technology problems. Imagine everything that could be accomplished if no one spent time taking care of infrastructure!”

From the start of the cloud conversation, it should have been clear that there was something hiding behind the curtain. Like the Great and Powerful Oz, the Cloud has a secret: it isn’t really magic.

Disappointing, but not surprising.

Regardless of the ratio of ingredients [Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS)] in your cloud cocktail – say, ½ SaaS, ¼ IaaS, ¼ PaaS – divesting yourself of infrastructure isn’t a panacea. It doesn’t make obsolete applications disappear, instantly fix poor hygiene practices or absolve you of security or compliance governance. It doesn’t suddenly make users cyber-smart. And it’s not cheaper without a thorough understanding of and diligent focus on usage. The cloud is quite literally just someone else’s data center.

Smart organizations recognize this reality and come into the conversation with their eyes wide open, understanding that moving to the cloud is a trade, not a boon. Smart cybersecurity leaders should leap at the opportunity of using the cloud as a green field. They should insist on principles like “secure from the start” and “proactive, data-driven governance” to build solutions that are more scalable, flexible, secure and cost-effective than those they replaced.

Focusing specifically on the challenges of a cloud infrastructure transformation, the obvious thread is a lack of governance with a sub-plot of cybersecurity woven in. Interestingly, these challenges aren’t new –they’re equally present in on-premise architectures. They just present themselves differently when planning a pivot to the cloud. Let’s take these challenges one at a time.

Application obsolescence is a failure of lifecycle management. On-premise, obsolete applications create a chain of technologies unable to upgrade, support teams unable to evolve standards and a steep escalation of risk. The cloud doesn’t solve these problems, but it does force the lifecycle conversation to the front. Obsolete applications can’t be moved to the cloud. If the business wants enhanced performance and agility, they need to upgrade. If the business wants to avoid being on the wrong side of the IT strategy, they need to upgrade. Cyber leaders should double-down on any one-time changes to establish a principle about remaining on supported solution components, to avoid making the same mistake again.

Poor technology hygiene comes down to ignorance of the risk presented by vulnerabilities and misguided prioritization. Poor hygiene is not an “on-prem problem”– it’s a people and process problem.  Hosting infrastructure in the cloud doesn’t automatically address vulnerability and patch management.  Hygiene can be ignored in cloud workloads just as easily as on-prem. The cloud does offer automation and visibility that can be lacking in on-prem environments, but it takes the other elements to execute.   Processes like scheduling maintenance windows, validating applications following patches and communicating to customers still need to be resourced. Cloud transformation effort opens a window where cyber leaders can build in an effective vulnerability and patch management process with fewer legacy roadblocks.

Security and compliance remain the most misunderstood aspect of the cloud. Cloud service providers (CSPs) operate under what is called the “shared responsibility model.” In simple terms, they protect what they bring to the table – data center, hardware, core network. The organization must protect everything else. The data, access, virtual servers, applications, identities, all of it.  These are the responsibility of the customer. CSPs provide the tools to help with security, but they don’t enable, configure or maintain them. Making matters worse, most security platforms implemented on-prem typically can’t be extended to the cloud. Security teams must learn new tools and develop new processes to protect the cloud. Almost daily, there are reports of cloud compromises as hackers target poorly managed SaaS platforms or exploit unprotected storage buckets. As for the data lost in these incidents, addressing compliance violations falls to the organization as well.

The last area of cloud governance is cost. While not typically part of cybersecurity, controlling operating costs is part of every leader’s role. On-premise, finite amounts of licenses, hardware and rack space limit the pace of expansion and control cost. The cloud removes that governor, letting the business run full throttle. Without strong financial controls and precise cost allocation models, new workloads will sprout like dandelions. Left untended, these assets will cause a serious budget disruption. Articles going back to 2021 discuss the likelihood that organizations will overspend their cloud budgets unless there is upfront planning to build a disciplined process. Recent studies confirm this prediction is coming true. If arguments about lifecycle, hygiene and security aren’t convincing, arguing for greater plans and governance to ensure savings may yet win the day.

To large degree, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS), bring the same promise, but hide the same concerns. Obsolescence and hygiene aren’t issues for SaaS, but security and compliance certainly do. SaaS administrators, tasked with rapidly enabling the business, rarely understand cybersecurity or receive adequate security training before taking responsibility for an internet-facing application. PaaS platforms partially mitigate risks of obsolescence and hygiene by wrapping the lower tiers of an application into a service but do nothing to manage the health of the custom code itself. An unpatched, unmonitored Ruby on Rails installation running on overprovisioned workloads, could easily bring the house down upon you.

Like Dorothy, Lion, Scarecrow and Tin Man learned (the hard way), you can’t wish your way to a better world. It takes a strong will, uncommon courage, pragmatic intelligence to successfully walk the road, learning lessons along the way. Migrating to the cloud holds tremendous promise – speed, agility, strategic enablement – but only if you take the time to understand the trade-offs and take full advantage of the opportunity.

About the Author

Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Globhttp://www.inversion6.comal Security, and Oracle Web Center. Craig can be reached online at LinkedIn  and at our company website http://www.inversion6.com.