Move To Cloud: Governance Is The Pillar Of A Controlled Strategy

Whatever the reason given, the use of Cloud computing has dramatically accelerated in French companies in recent years. Moreover, economic consideration is no longer the only factor leading to this transition! If the benefits of the Cloud are no longer in doubt, the migration path must be well understood by companies. The challenges are multiple, starting with data security. This first requires a clear governance strategy to avoid the many risks associated with outsourcing resources.

Repercussions of the Covid pandemic, generalization of the use of teleworking, access to the latest technologies and innovations… Whatever the reason given, the use of Cloud computing has dramatically accelerated in French companies in recent years. Moreover, economic consideration is no longer the only factor leading to this transition!

Indeed, the advantages are numerous: flexibility and flexibility, acceleration of processes in terms of resource management and application development, and access to the latest innovations are all incentive factors for the move to the Cloud, in whole or in part. We could add efficiency in terms of collaboration or even a specific environmental sensitivity.

Cloud Adoption Drives Cascading Critical Changes

It is now expected that an increasing number of companies are migrating particular essential and even strategic resources. This is one of the signs of confidence in the providers’ Cloud offerings, but a multitude of daily changes in the conduct of operations also accompany it. Whether in terms of security, IT infrastructure, architecture, or operational functions.

In this case, the use of Cloud resources transforms not only the way of proceeding but also the processes and the distribution of tasks. Flexibility leads IT teams to adopt modern architectures, leading to a rapid multiplication of containers or micro-applications. The other side of the coin, which companies sometimes need to be made aware of, is that this considerably expands the attack surfaces.

The perimeter security paradigm is then called into question, including by resorting to DevOps models: by thinking in terms of functionalities, we sometimes end up neglecting the requirements in terms of performance or security… This is elsewhere evident in the trend of so-called “No Code” development, with ready-to-use libraries. If they are indeed practical, they also have the disadvantage of no longer forcing developers to be aware of the consequences in terms of security.

This represents a significant difference compared to the use of on-premises resources, which required developers to work within a limited budget and, therefore, necessarily with constraints in terms of performance and security! The challenges of these changes are, therefore, often structural but also involve the teams themselves. The Move To Cloud is not just a technological change: if the infrastructure and software dimensions are concerned, it also requires acquiring often very specialized human skills.

Managing Governance In StartUp Mode

The Cloud transition is, therefore, a global subject that must be perceived with a fresh perspective and specific skills; this also explains why it is often new teams who take care of it. Security is not one of many issues, and other sensitive data must also benefit from a new approach. This is particularly the case with regard to banking (PCI DSS) or personal (GDPR) data.

It is also an opportunity for companies to adopt a transversal approach to general data governance. Indeed, the use of the Cloud has also transformed the way specific processes are managed, requiring the implementation of a revised policy. Concretely, identity and access management have become a fundamental concern because they differ significantly once outsourced. Its management is now closer to that of an application as such. It then requires expert precision to confer the proper rights to the right people in order to avoid significant risks.

The application of a tailor-made governance policy designed for the Cloud is therefore crucial. In particular, to avoid it being a simple copy and paste of historical operation, but also so that it immediately integrates the specificities of the Cloud. It is, therefore, an agile and new approach focused on the product and its execution, which is highly recommended. The main risks to anticipate in the transition to the Cloud

An Unfounded Configuration Of Resources

It often follows a Move To Cloud project launched without having previously anticipated the implementation of usual good governance practices. This is a subject that is all the more sensitive as the multiplication of entry points amplifies it via numerous interfaces in particular.

Non-Compliance With Norms And Standards

Implementing audit tools is a valuable first aid to system compliance. They make it possible to avoid the main pitfalls by preventing risks but also to comply as best as possible with current and future norms and standards (e.g., NIS 2 ).

The Constraint Of Legitimate Access To Data

Whether it is a data leak – as we have seen in a plethora of poorly secured S3 buckets – or the hijacking of accounts with privileged access, the implementation of appropriate governance becomes fundamental. In a cloud environment, access is distributed between a multitude of entities (service providers, employees, applications, etc.); the significant challenges then become adaptation to new connection constraints and account security.

The Consequences Of Multi-Cloud

Managing an infrastructure distributed across several Clouds can quickly become a headache for the CIO/CISO when it comes to applying a global policy. The use of specialized tools makes it possible to unify and harmonize the dissemination of these policies.

Lack Of Control Of Resources

The simplicity and flexibility provided by the Cloud, allowing functions to be launched on the fly, leads to a compelling need for visibility. Achieving this objective and controlling your environment (development, resources, network, etc.) requires the use of an IAC (Infrastructure as Code) approach. This is to protect resources within the Cloud and to benefit from a shared vision of these resources aligned with cybersecurity issues.

The Danger Of Data Overexposure

The ease and speed of deploying resources in the Cloud can also have potent negative consequences. In the context of increased use of APIs or unreasonable distribution of data, for example, the danger is intrinsically linked to the poor configuration of resources. That is to say, without respecting the good practices to be observed in this area.

Vulnerabilities Through Application Development

The industrialization of application development, illustrated in particular through a CI/CD approach used by DevOps teams, must be closely monitored. Indeed, the deployment of applications in a cloud environment can lead to multiple potentially vulnerable web services and, above all, at a vast network scale.

The Main Challenge: Control Of Constraints And Consolidation Of Indicators

If the Cloud obviously brings many benefits, the migration must be thought out and supported to avoid the many pitfalls that make it up. The challenge is finding the right balance between security, tools, governance, and team management while ensuring high flexibility. The transition to the Cloud is, therefore, above all, a subject of transformation.

It requires a tailor-made approach and is obviously adapted to each company. If the subject is more than just technical, the implementation of specific tools to provide centralized supervision is strongly recommended. Modern Cloud Native Application Protection Platforms (CNAPPs) address these issues. They go even further by now serving the professions. These tools are, therefore, no longer brakes or constraints in the service of security only. They are fully integrated into the development lifecycle.

The CIO is no longer the one who says no to his teams but the one who secures the DevOps process, for example. The choice of the underlying technology will depend on numerous criteria, starting with the specificities or consistency with the company’s governance policy. Indeed, solutions such as CSPM (Cloud Security Posture Management), IAM, or even CASB (Cloud Access Security Broker) are only suitable for some situations.

They must, therefore, fulfill the same role: be at the service of the professions and the IT department and, in the best case scenario, be part of the application development processes. It is, therefore, all the indicators resulting from these tools consolidated within, for example, a SIEM or a managed SOC, which will allow the company to optimize its detection and response capabilities.