In the past few years, with the rise of mobile devices and the need to access all services from anywhere on any type of device, organizations have been leveraging cloud providers to host more and more services, seeking to optimize both cost and availability. It seems like the obvious way forward for most organizations is to partially move to the cloud while maintaining their current on-premises infrastructure (a hybrid environment), or to move to the cloud completely.
Moving to the cloud has many advantages. Employees can access their documents and work with their everyday apps (e.g., Office suite, specific business software) from virtually anywhere, using any computer or mobile device securely, easily, and transparently. IT personnel also clearly benefit from having a unique console to administrate pretty much everything while not having to deal anymore with back-end systems, either virtual or running on actual physical machines. Instead, this burden/responsibility is passed to the provider, which has more capacity to guarantee service availability.
However, moving from a local, wall-guarded, on-premises infrastructure and expanding into the cloud obviously brings new scenarios that need to be carefully addressed to achieve a successful and transparent transition – starting with usability (how and where corporate services and data will be reachable), security (ensuring said data is secured as it was on inside), and management (ensure IT personnel are up to speed and have the right tools to supervise the infrastructure as a whole, local or cloud).
The first point to consider is education and training. Your security as a whole is predicated on your employees and end users. As individuals, they are your weakest link, but empowering them with knowledge and training can turn them into your first line of defense. This starts with your IT personnel who will obviously need to be trained accordingly on the new cloud solution(s) your organization will use. Although their job might be greatly simplified by not having to deal directly with back-end systems, your IT personnel still need to be upskilled and properly trained as to how these new cloud services work and are managed.
Then the rest of your employees, whether they have a technical background or not, need to be educated and guided through the transition to make sure they understand what the new workflow involves (e.g., storing and sharing documents) and how this will be different from their usual everyday end-user experience. Their understanding, not only of the ins and outs but also of the immediate advantages for them, will help gain their acceptance, which is key to a successful transition.
The second point to take into consideration is the security of corporate data. So far, most of the data has been hosted and stored internally, on physical or virtual back-end systems belonging to and managed by the organization. Other data included documents that would reside only on the employees’ corporate-owned computer, without any backup or synchronization. When moving to the cloud, said data and documents will be stored externally, on back-end systems provided and managed by a third-party provider, so it is important to confirm data residency. That said, data will be stored if not in the same country, at least in the same region (EU, EU, APAC); while this is mandatory for public and regulated companies, it is also critical for many organizations.
All corporate documents must be stored on the provider enterprise storage (e.g., OneDrive for Microsoft 365) to ensure both the security of the data as well as provide improved end-user experience when collaborating with colleagues. Storing documents locally as well as sending entire documents by email should be discouraged in favor of using the whole potential of collaborative software. This will certainly take some time and education to get all employees to use this new workflow when dealing with documents, but it will come naturally once they see the benefit of it. In cases where documents are still stored locally, for example, local copies of synced documents, it is recommended to use a complementary Data Loss Prevention (DLP) solution to detect and prevent potential loss or unauthorized exfiltration of said documents.
The third point to consider is who will be able to access said data and services, and how. When moving to the cloud, corporate data becomes virtually reachable by anyone with an Internet connection, without the need of being physically at the office, on the local network, or connected to it remotely with a Virtual Private Network (VPN) connection. Note that this does not mean that anyone can access your data, as there are of course many security mechanisms in place to ensure only the right person, from the right location and device, can access specific data with the minimum permission required, according to the Principle of Least Privilege. This is achieved by deploying a Zero Trust architecture, which relies on five pillars: identity, device, network, application, and data.
Employee identity is validated by an Identity and Access Management (IAM) solution, which will first authenticate them, eventually using challenges like Multi-Factor Authentication (MFA) for improved security. This can also be combined with Conditional Access to ensure employees are accessing corporate data from a trusted device such as a corporate or personal computer that is managed by a UEM solution, secure (e.g., using Mobile Threat Defense solution), and connecting from a known and/or trusted location. If all checks are green, then employees will be authorized to access the requested resources or services, with the level of permissions as defined per corporate policy.
The final point to think about is supervision. You may think, with back-end systems under the responsibility of your provider, why bother monitoring them at all? Well, your ecosystem is more than just your datacenter, and you might want to be able to detect any service degradation and interruption before your employees, whether they are using on-premises or cloud-based services (or a mix of both). This can be achieved using state-of-the-art Security Information and Event Management (SIEM) solutions like ISEC7 Sphere, which allows you to manage and supervise mobile users, endpoints and assets on both on-premises and cloud-based infrastructures, easily and transparently, through a single pane of glass.
As you consider your organization’s infrastructure and possibilities in moving to the cloud, do not hesitate to contact the team at ISEC7. ISEC7 has worked extensively with organizations large and small in both the private and public sector to enhance their security posture and fortify their ecosystems through the industry best practices, a curated product suite, and most importantly training. Please reach out to the team at ISEC7, and we can complete a security assessment and help you navigate the options available to you to help strengthen and protect your infrastructure.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group