Do Organizational Changes Improve Cloud Security?

Over the past few months, I have had the opportunity to talk with a wide range of customers and prospects about their public and private cloud initiatives. Two common themes have arisen from these conversations. The first is that, while there is significant interest in leveraging the public cloud (Amazon Web Services and Azure in particular), there are many questions that still need to be answered. The second and more interesting theme was how organizational changes and an increased focus on DevOps can help improve cloud security.

Here’s why.

While participating in a cloud–focused roundtable with 30 or so CIOs/CISOs, I heard about how organizations are looking to move to the public cloud, what some of the concerns are, and how some are addressing them. The public cloud use cases I heard are primarily internal applications or those that present lower risk. One example was an internal, process-intensive forecasting tool that took days to run. In AWS, they can scale the CPU cycles up and run the application in a matter of hours – a perfect use of the public cloud. In other conversations, all internal application development is moved to the cloud, and separate resources are applied to development, testing, and production. Another way to look at it is that users are taking a cautious approach to testing the public cloud waters.

Most of the 90-minute conversation we had at the roundtable centered on risks and how to manage them. One participant was working to set up a process by which security, networking, and server teams would work together to decide which apps to move to the cloud. As part of the process, he was developing a set of criteria that would be used to decide if the associated data was cloud-worthy.

A second, significant conversation centered on documentation, and who should sign off on what is moved to the cloud. The feeling from most everyone was that most of the exec team should be aware of the efforts and associated risks – some food for thought there.

At both the roundtable and some of my customer engagements, I have been asking how users are managing the dynamics of security, networking and server/development teams. The answers vary widely. Some users admit they are managing it poorly: the groups operate in silos and security is deemed a bottleneck. To break down the walls, one user began holding social functions to bring the groups together with the premise being “get to know your co-worker.” The goal here is that, if they have some familiarity with each other, they may work more efficiently together. At least four of the other users I spoke with had taken the dramatic step of reorganizing the teams so they are working hand in hand. In addition to reorganizing, several took an additional step of offering and encouraging outside education as a means of expanding their skill set. This last step not only provides confidence in the uncertain times of reorganization but also enhances the user’s career – a win on both sides in many cases.

A final observation is that DevOps teams have become more engaged in the effort to include network security in their development efforts, and not just in their coding practices. In this case, network security is being baked into the application as it is developed through the use of tags and APIs.

These elements enable automation, a key tenant in the move towards cloud-first/cloud-ready development efforts. As new application workloads are added, tags assigned to the workloads can be used to automatically add the workload to the security policy. The result is security that keeps pace with the business.

The takeaways from these conversations were that organizations are moving to the public cloud in the right way: with an eye toward benefiting the business and an appropriate level of caution.

What are you doing to bring these teams together in your organization? Leave a comment and let me know.