Chris Abramson, Senior Director of Cloud Security Engineering at Walgreens, and 20-year IT industry veteran shares what he learned from shifting from on-prem to Microsoft’s Azure Cloud on this week’s Reimagining Cyber episode, “Journey to securing the Cloud.”
Abramson recommends adapting your strategy to your new environment. In on-prem, it’s all about firewalls and technology that’s wrapped around an environment, but in the Cloud, it’s how things communicate with each other, he cautions.
By changing your thought process about how to work in this new environment, you’ll be able to better secure it. When changing IT infrastructures, security can get lost in the shuffle. To mitigate this, Abramson worked in lockstep with his Cloud Center of Excellence (COE), building security directly into the deployment model.
Security issues aren’t being discovered after the fact. Teams hit them as they come upon them, enabling them to make changes on the fly and deploy the appropriate fixes with the least amount of security risk in the environment.By checking out industry forums and CVE data on vulnerabilities in the Cloud that have been made public, learning from peers that have already been through it is key. This enables companies to bake the correct actions into the new Cloud environment.
Abramson recommends working in lockstep with other teams, for example, deployment teams and security, to prevent any issues and enable reacting quickly when something happens.
As the Cloud space evolves, so will the software development, deployment, and security space to adapt to the ever-changing Cloud environment. Many companies purchase software from a third party, embed it into their software, which gets embedded into yet another software. Enter the Russian Doll Syndrome.
“[You’ve] got to think about software that you're buying from a third party. That now also embedded software from another third party, that likely embeds software from another third party. That's the Russian Doll Syndrome.”
Abramson recommends considering how you’re connecting and the level of software integration to determine the level of risk. He also recommends implementing a strong vendor management program.
Encrypting data offers its own challenges and isn’t always possible, but where it can be done, Abramson wholeheartedly recommends doing it.
“Wrapping environments in a model that doesn't allow access to, or very limited access to, it's kind of, I'll call it the vaulted environment, you know, the no ability to touch, change, maneuver through or ingress or egress without somebody watching you do it. That stuff, it's expensive, and it's highly operational because there's a lot of eyeballs having to do that.”
Encryption is the quickest and easiest way to protect your data, Abramson says. Abramson recommends partnering closely with the business and IT sides of the house to determine the best way to protect sensitive workloads shifting to the cloud and mitigating data exposure and privacy compliance risks. Sometimes, encryption just isn’t an option. In these cases, Abramson recommends bringing your own encryption keys and avoid reliance on key services provided by Cloud Service Providers (CSPs).
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com