I think a lot of us are familiar with “honey-do” lists: small chores and stuff we have to do around the house. Most of it we know how to do, or a quick YouTube video can show us the way. But what if you came home one day and your spouse or partner turned to you and said, “Honey, I want to be more fuel-efficient. I need you to build me a hybrid car – or better yet, build me a fully electric car.”
That’s kind of how it feels when your boss walks in and asks you to shift part or all of your company’s infrastructure to the cloud.
When we are tasked with something monumental that we don’t fully understand, like a cloud migration, it can be overwhelming. Most organizations end up doing what is referred to as a “lift and shift” of their environment. That is, they try to re-create the infrastructure in the cloud exactly as they have it on-premises or in co-location (co-lo). This can be like fitting a round peg in a square hole: If you push hard enough, it will fit, but it isn’t going to look right, and it will leave gaps. In the case of a lift and shift, this can leave security holes, lead to inefficient processes and increase the costs of running your environment by running extra infrastructure.
Instead, you need to re-engineer your architecture to match the best practices of your chosen public cloud provider. Learning those best practices comes with experience, time and education. To gain experience, you have to spend the time, but I can give you a headstart on the education piece.
What’s the Best Way to Secure the Cloud?
“Through 2025, 99% of cloud security failures will be the customer’s fault.” – Gartner
How do you avoid the Gartner prediction so that you do not become part of this statistic? First, you need to understand the public cloud and how to secure it.
The statistic doesn’t mean that there will be a bunch of angry employees running around causing chaos. It refers to a lack of knowledge of how to properly build and secure a cloud environment. Companies need to understand that employees want to do their jobs well and want to be proud of what they are building. But it’s difficult to accomplish a cloud migration without the know-how or the tools to get the job done.
There are many ways to approach these issues. Two that I think are critical to success involve leveraging culture and tools.
Many people focus on educational programs themselves – classes, certifications, etc. I don’t think that is the most important piece to put in place, though – people can breeze through online classes, learn the bare minimum and get the certifications. But what have they actually learned and how do they apply that?
The most important thing a company can do is to promote a culture of education. Make everyone feel comfortable not knowing everything. Too often, companies expect employees to be experts in everything, then turn around and complain about industry skills shortages when that isn’t the case. Employees can all work together to learn the needed skills, embrace education and be patient while everyone is learning. When companies create a cloud native strategy, it is incredibly important to have education be part of that strategy.
The best way to learn is hands-on training in conjunction with toolsets that help guide you through the process. This idea brings me to my second critical educational component: having the right tools.
The learning process can be tough enough, and trial and error can be dangerous for a company making the transition to the cloud. Having a set of tools that will tell you whether or not you are building your infrastructure and configuring everything correctly can be a huge weight off your shoulders.
If you are using infrastructure-as-code (IaC), you need a comprehensive tool that can check for misconfigurations while you build directly in your integrated development environment (IDE). The same applies if you are building an application using containers: You want a tool to automatically check for known vulnerabilities, and to help check that each container is meeting compliance standards before it goes live.
Of course, not everyone has access to IaC or containers and has to build things as they go. In that case, you need a toolset that provides asset inventory, audit logs, configuration monitoring and usability in run time that can alert you while you build.
Having alert information gives you peace of mind that everything you’ve built is meeting security standards. And if you do get an alert, you know exactly what you did incorrectly and can make adjustments. We all use email, Slack or Teams, or maybe some ticketing software. Having alerts pop up in those systems while you are building can keep risk down to a minimum.
It’s like cooking: If you clean up as you go, there is much less to do when you’re done. However, if you leave it all till the end, you will be cleaning the kitchen for as long as it took you to cook dinner. The metaphor holds for building software: You never want to build in technical debt. In a world where threat actors are constantly on the move, you have to be vigilant.
Ensuring Success in the Cloud
We want you to be able to do the equivalent of building that hypothetical electric car, to tackle the most intimidating projects and be successful. Make sure you are getting the education you need and that you are being supported along the way. Push for the right tools that can help you to accomplish these monumental tasks every day without wasting your time.
For an in-depth discussion on how to use these tools and how to integrate them into your cloud native strategy, check out our virtual summit on-demand, Cloud Native Security Live.