Digital Transformation is taking over, we all know this and enterprises are adopting this at a higher than consumable rate. What once took many times months to provision in our legacy infrastructure now can be spun up via a CLI command in seconds. Years ago the Center for Internet Security (CIS) posted a series of best practices for the main cloud service providers (CSP). This has been a guiding document for many security groups as they see their legacy products that once secured their data center become diminished with the move to the cloud. Additionally, this document was created with the broadest coverage in mind so it doesn’t provide consistency across all of the CSPs.
As customers move into the cloud and start to apply CIS, it can be extremely daunting. There are a lot of findings with little way to understand what is best and how to quickly remediate. On the inverse, large, multi-cloud enterprises are looking to apply a singular policy across all major CSPs. Having a flexible platform to enable this is key to an enterprises success.
These guidelines from CIS are a great start to securing your new or preexisting cloud services. The challenge we see is many customers moving internal applications to the cloud. In addition new software is being developed daily that can be layered onto Amazon, Microsoft, and Google.
Recently I met with a large transportation company that was looking to move their entire application stack from their monolithic data center to AWS. Their move was being pushed from the top down to get out of the data center business and adopt the cloud to enable business to work faster. We all know this as the common term Digital Transformation. With this lift and shift they had to completely rethink their security stack. That lead to finding answers to the following questions:
- How does one rethink their security stack when moving from legacy to cloud form? Do you rely on the tools in the CSP?
- What framework is going to be best?
- Which compliance standards do you need to meet?
- Our legacy security stack had a full policy, procedure and assessment framework, how do we match that in cloud form?
This company was forced to answer all of them at once and build a program from the ground up. That meant was a whole set of new tools that were cloud first. In many enterprises, it’s tough to move aside the security platforms your teams have been using for years, but this team was all in on the cloud and cloud first solutions.
The toughest part of their journey has been to map any possible opening to their infrast