For all the hype about moving to the cloud, many applications have specific business and performance requirements that will prevent most companies from moving their entire operations to the cloud in the near future – relegating them to a long-term hybrid cloud setup that brings its own implications for the company’s information security posture.
“Getting to the cloud is the beginning of the journey, not the end,” explained Dan Cox, chief technology officer with major systems integrator Interactive.
“In our experience, no decent sized organisation is all-in on cloud, and often ‘cloud’ is a plural,” he said. “You can be in cloud, but it would be in multiple clouds.”
The shift to a hybrid cloud environment – which requires a consistent security model to be deployed across both on-premises and cloud-based applications and data stores – changes a company’s attack surface and responsibility matrix significantly, Cox said, adding that consuming more as-a-service offerings “is a great method of improving your security posture.”
Adopting cloud-native security tools can reduce the complexity that IT teams end up being responsible for, he explained, providing “a much leaner attack surface and quite a sophisticated posture straight out of the box.”
Yet with performance, availability, sovereignty or other requirements meaning that many legacy apps still aren’t quite ready to be moved to the cloud, Cox said, companies must also be ready to build “mitigating” security controls by implementing a complementary security product, or isolating the legacy application.
The key to successfully securing a hybrid cloud environment lies in approaching the migration with the results of a clear baseline assessment that inventories all required apps, data sources, and security and governance requirements.
Managed service providers like Interactive help companies plan and undertake such assessments on a regular basis, taking just a few weeks to inventory and triage individual projects as easy, intermediate, and hard – then “fixing the foundations” with easy projects before moving on to more complicated intermediate and hard elements.
Yet ambition and governance are only part of a successful migration: with many companies winding back budgets, Cox said transformation teams need to get creative about the way they utilise existing systems so they can free up budget to embrace new, game-changing technologies like AI.
Maximising existing investments “could mean optimising consumption and turning off spare resources, or consolidating tools and software products into a single ecosystem or a single vendor,” Cox said.
“Particularly as you get into the cloud ecosystems, there are lots of levers you can pull to create budget that you ultimately reinvest – so you come out with the same total investment, but with more value to the organisation or a hardened business at the end of it.”
Read the full State of Security report here: