In a recent post on leading customers to a secure cloud experience, I warned about holding fast to traditional IT roles and positions of control, because cloud security was sure to take them out of their comfort zone. In the new episode of Microsoft IT's Expedition to the Cloud video series, principal program manager, Rob Polly, talks frankly about the good and the bad when it comes to security in the new enterprise cloud.
As a 17-year Microsoft veteran, Rob has led a team of security experts through their own transformation, experimenting with the latest and greatest innovations and deploying new technology here at Microsoft. In turn, Microsoft IT helps my team understand solutions with an enterprise perspective.
Basic security practices such as configuration management, patch compliance, and anti-malware software administration continue to be necessary. But we can no longer depend on such a linear approach to security. As several access points now sit in someone else's data center, IT doesn't have access to every server that requires protection and must become comfortable in delegating some of those security responsibilities.
The new security partnership
As roles and responsibilities become distributed, enterprise cloud security must become a partnership. This partnership takes into account the cloud service providers' capabilities and services and the security stance they take. It considers the platform, which may be distributed but still overseen by central IT. On top of that, you still have the regulatory requirements for security and privacy, such as the General Data Protection Regulation (GDPR). It's not enough to apply physical network topologies and monitoring appliances in the same way as was done on-premises.
Enterprise cloud security takes into account the DevOps teams as they build the application services. For example, the cloud uses a self-service procurement model, so enforcing application security reviews before enabling a production deployment is no longer possible. To make sure security is integrated into the daily development process, Microsoft has developed a Secure DevOPs Kit for Azure, which provides a simpler, more structured and consistent security environment in the Azure app infrastructure.
These tools in the DevOps Kit feature:
- Security IntelliSense with secure coding, guidelines and corrections
- Security verification tests to verify built-in controls for common services
- Built-in release tasks for continuous integration and automated deployment
- The Continuous Assurance Tool to keep you current with Azure security improvements
- Adherence to best practices such as key rotation and separation of duties
- A central dashboard for alerting and monitoring
New roles call for a new mindset
With 20 years of legacy datacenter experience, we truly understand how this all changes in the cloud. Microsoft IT calls it the cloud security mindset, supporting the democratization of infrastructure, application deployment, and management and security capabilities.
According to Ron, this is often a situation where it's better to take your hands off the wheel and let someone else steer because they are more efficient. So, all teams that are part of the security equation - IT service teams, service providers, and DevOps teams - must be enabled with the tools and guidance to monitor and be your first responders.
Yet another way the cloud can improve an enterprise's security posture is by deploying apps to the cloud as pre-configured infrastructure as a service (IaaS) virtual machines, and automating the patching and updating processes to keep the environment up to date and compliant.
The bottom line is that there are so many threats that an organization can actually be much safer in the cloud than on-premises. In the cloud you can share responsibilities, with cloud service providers, application services, and central IT each owning their piece. Plus, in a cloud environment you have a better picture of your attack surface because you when you get billed for everything you use, you are more likely to understand everything you have.
What are your thoughts on the rapidly changing security landscape? Share your own experiences about building an enterprise cloud security position below and participate in MPC's Security AMA here!