In the post “The Basics of Controls,” you read about different types of controls. Before you can do anything with all that knowledge, you need to understand where you’re going to apply those controls. We apply them, of course, to our environments.
We use the term environments to mean three things, each of which has different cybersecurity and privacy needs. I will list them here briefly, and then we’ll take a closer look at each environment in turn.
- Computing Environments
There are four basic types:
- On-premises (in other words, the servers are under your direct control, literally in your office);
- Private cloud (the servers are elsewhere, but you still control them, as in, they live in someone else’s building, but you have the only key to your own private office in that building);
- Public cloud (the servers are in someone else’s office, many people have keys to that building, and you don’t have a private office there); and
- Hybrid cloud (the servers are all over the place; some are in your private office, some are elsewhere).
- The Internet of Things (IoT)
For our purposes here, IoT means every device that is connected to the Internet, regardless of its location or function—from nanny cams to SCADA (supervisory control and data acquisition) systems. If it’s not part of our standard end-point definition (computers, phones, tablets, etc.) but it’s connected to the Internet, then it’s IoT.
- Distributed Workforces
Where are your employees located when they work? In the office? At home? On the road? Or increasingly, a mix of all three?
This is a whole lot to think about, and if your head is already spinning, we don’t blame you! Let’s set IoT and Distributed Workforces aside for now, and we’ll attack those issues in separate posts. For now, let’s focus on types of computing environments.
If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders.
On-Premises Computing Environments
Most people are familiar with an on-premises computing environment. Depending on company size, this is basically your typical business office with a server room. These server rooms range in size from a cramped, dusty closet, to a large, air conditioned, fireproofed data center. The commonality is that the server room is in the same physical space where the information technology services are being consumed. That said, a larger company with multiple buildings will still be considered to have an on-premises environment if they house their data center in one of their own buildings, despite distributing the services to multiple others, potentially across cities and countries.
On-premises environments afford you total control. You control access, you control what equipment is deployed, what software is installed, how the infrastructure is monitored, and so forth. It’s all yours, no questions asked. If you want to decommission a server, you go right ahead. If you want to install a new firewall, knock yourself out! If you want to let your six-year-old kid bike around the environmentally controlled room, you can do that, too.
Of course, total control comes with the corresponding price tag. More than just dollars, euros, or yen, the price tag also reflects the responsibility of maintaining this infrastructure from an IT point of view (installations, management, maintenance, end-of-life considerations, etc.) and, of course, protecting it.
Ay, there’s the rub! Yes, you have total control on how you can protect the equipment, and as such you can be sure that it is always safe and sound, with the best and most appropriate controls at all times. But on the other hand, you’re paying for all this infrastructure and associated headaches—including the likelihood of underutilizing your technology during a downturn, not to mention the challenges of scaling it up during a rapid growth cycle.
If you’re a businessperson, you’ll loathe both the expense and the rigidity. If you’re a cybersecurity professional, you’ll probably love it. But if you’re an IT professional with vision—one who recognizes that you always need to align technology with business goals—then you will always recommend that any choices about IT architecture align with business goals as much as possible, even if that means you’ll miss looking at the blinking green lights in your server room.
Private Cloud Computing Environments
Whatever its downsides (and there are more than a few), an on-premises computing environment does provide IT and cybersecurity professionals with lots of something they simply adore: control! Once you switch to cloud environments, that control starts to fade away, and that can make some IT and cyber folks nervous. One of the ways to talk a cybersecurity professional off the ledge when you’re discussing the cloud is to promise that you’ll be moving the IT infrastructure into a private cloud. What that means is the infrastructure will at least be located inside a dedicated, secure, access-controlled, and likely ISO-certified data center, and only you and your team will have access to it.
Private clouds try to deliver the benefits of scalability and on-demand provisioning of a public cloud solution while maintaining the sense of ownership and control of an on-site architecture. In other words, private clouds attempt to deliver the public cloud advantages, but they do so in an exclusive way for your organization. You are still responsible to maintain the resulting IT services footprint, just as you are responsible for protecting it, but now you have the advantage of not actually owning the infrastructure. You are, in essence, leasing on demand whatever it is you need at any time. You can provision and deprovision as much and as often as you like, thereby gaining the flexibility that on-premises infrastructure denies, while maintaining the tight control that a highly secure or mission-critical infrastructure demands.
It is important to note here that you should not think of a private cloud infrastructure as a bunch of dedicated physical computers. Although that may be a possibility, it is unlikely. The probability is that your private cloud solution will be virtually delivered to your company just as with a public cloud but with one key difference: The delivery of this infrastructure-as-a-service is done through proprietary, dedicated, single-tenant “pipes,” in essence creating a physical separation tenant to tenant.
When you’re running a private cloud, much like running your own on-premise infrastructure, you are entirely responsible for your private cloud’s security needs. It’s all you. Essentially, what you have gained is the flexibility of cloud infrastructure-as-a-service and perhaps software-as-a-service, while you have retained total control over cybersecurity. If that’s worth it to you, then great! But again, the answer lies in aligning business goals with IT value delivery, and nowhere else. If that alignment results in a private cloud implementation, then cybersecurity will step up to the plate and protect it.
The catch is, of course, that any cloud choice, private, public, or hybrid, will introduce additional cybersecurity considerations to any on-premises infrastructure. For example, before you even contemplate procuring the service, you’ll need to make sure that the provider of your private cloud is in compliance with several standards. These include all the usual suspects, such as CSA STAR, HIPAA, ISO27001, PCI-DSS, SAS-70, SOC-3, and TRUSTe. If you must pick only one certification, you should pick Cloud Security Alliance’s STAR certification (it integrates ISO27001 with their own cloud controls matrix CCM). CSA STAR comes in three flavors: a level one self-attestation, a level two certification, and the in-development level three continuous monitoring implementation. Once you have that, you can investigate additional requirements such as Privacy Shield (if you’re concerned with the European Union’s General Data Protection Regulation [GDPR], which you should be), PCI, or HIPAA.
Public Cloud Computing Environments
The very idea of a public cloud makes most cybersecurity professionals hyperventilate. Sure, there are tons of certifications, the marketplace is maturing, there are appropriate controls, and so on and so forth, but we’re talking risk-minded computer scientists. No matter what you say, for them the risk is just too much. Why is it too much? Because we’re not a trusting folk! In a public cloud, cybersecurity is the responsibility of the provider, and simply put, we don’t trust them. Some will call this paranoid and inappropriate. We call it prudent.
So how can we all get along here? First of all, make sure you fully understand the provider’s policies and controls across several key variables and with privacy being a top driver: What are their privacy policies? Where are they compliant and where are they not? What are the issues with global data flow? And what is their transparency policy?
You should insist that your cloud-solution provider be able to articulate, demonstrate, and make available to you for audit-on-demand their security strategy, their controls, their business continuity and disaster recovery plans, staffing expertise and security clearances (including background check policies), staff training and certifications, cloud facility certifications and past audit results, their incident response plan, and communications policies. If they comply, then we’re good. If they don’t, then the risk is yours to accept or not.
But what is that risk?
There are a few. If you don’t know how your data is protected, then you may also not know if it has been stolen or altered until it is too late. Or since you’re in a public cloud, an attacker may be targeting your “roommate” and trash your servers in the process. Or imagine that another tenant is hacked, but the landlord chooses not to communicate this fact to you (or anyone else), because it is not in their best interest to expose the breach. And so on and so forth.
There are also serious technical considerations that you will need assurances on: issues such as co-tenancy, parallel processing, and process-memory segregation. We don’t need to get into the weeds with this stuff here—that’s why you should retain a cloud security certified professional. Suffice it to say that since everyone is in the same pool, you want to make sure that if the kid in the corner has an accident, you don’t end up swimming in it!
Hybrid Cloud Computing Environments
You already have a hybrid cloud, even though you may not be formally acknowledging it. How do I know? Well, I think I’m safe in assuming that everyone in your organization has some sort of a smartphone or tablet. If so, they are already using the cloud whether you like it or not. All these devices typically connect to the cloud for backup and storage. If your users are using these for corporate email, it is possible that those messages are stored in the cloud. Of course, one can apply strict controls to all this, but then you’re starting a war you can’t win: a losing war with Shadow IT.
Shadow IT is defined as any information technology solution employed by your users that is neither approved nor maintained by your IT department. Shadow IT frequently results from user frustration with the rigidity of IT and their approved solutions. In search of speed, efficiency, or simple convenience, users will open up a Dropbox account, or use a work or private email address to bypass whatever organizational controls they perceive as onerous.
Smart organizations recognize this and get in front of it by training the users and allowing some (if not all) of the flexibility that this “IT on demand” allows. It’s all about training and control. To the degree that the users understand the risk and the implications, and to the degree that appropriate controls are in place, let them go forth and conquer! Who knows? They may discover a solution that disrupts the company for the better, and that solution will become the adopted standard. But they can also discover the pits of hell, which is why the controls exist so that only a few users get scorched and the organization as a whole remains unharmed.
This brings us to the more conscious choice of a hybrid-cloud solution. The typical scenario is one in which a set of applications cannot be delivered over the cloud, requiring local infrastructure, while other sets can. Equally common is to see an on-premises private cloud–public cloud deployment.
That’s the ultimate hybrid. What does that look like? You have a set of applications that must be on-premises (let’s say, for example, your accounting system). You have a data application that you need to scale on demand, and that’s on a private cloud. You also have the company email coming from a public-cloud provider. There you go. Full-bore hybrid!
The security considerations, of course, don’t change much. But they are additive. You need to make sure that each one of these environments is addressed properly, has its own cybersecurity strategy and controls, and is assessed regularly. You know all about the on-premise requirements, and now you have some sense of what you need to look at for both public and private clouds. Put them all in the mix, and you’ve got yourself the hybrid-cloud cybersecurity considerations.
As you’re starting down your cybersecurity journey, one or more cloud solutions will already be in place. That means we are looking at not just a business due diligence exercise, but an asset discovery one as well. There’s data up in those clouds! And you need to discover them and treat them like the valuable assets they are.