The path to the cloud is a twisting, hairpin-laden road for almost every enterprise. Many were dragged to the cloud by business units charging ahead. Some may have started out with a deliberate strategy, only to see it warp out of shape by new, quickly bolted-on cloud apps procured (officially or unofficially) to support new initiatives and growth demands. But few have true cloud maturity.
Cloud benefits are so compelling that most organizations continue to add applications, by strategic design or force of will, at an alarming pace. The result is often a cloud environment that is not cohesive, efficient, or meeting either the goals of the business or the promise of the technology.
One of the big losers in this haphazard cumulus cloud build up is clear visibility to security controls and practices.
How to perform a cloud maturity check
It’s time to reassess. Whether you are relatively cloud immature or have been in the cloud for years, conducting a cloud maturity and security assessment is an important health check to determining whether your current use of the cloud is truly helping you meet your business goals and whether you are extracting the most out of the features and business advantages from the technologies – while at the same time securing your essential data.
It’s important to determine whether your current cloud solutions or future cloud migration plans are meeting your strategic goals, are well matched against your staff and security tool capabilities (and how to address this if not) and determine the efficacy of your deployment so it can be improved.
You likely have specific goals for moving to the cloud (or moving specific functions to the cloud), whether they are clearly articulated or not. Such goals typically include cost savings, faster time to market for a product, meeting rapidly changing customer demands, etc.
If these aren’t clearly delineated, you will want to spell it out so you can map these goals against the results of implemented solutions or future plans.
While this may seem an academic exercise, it is important: as an example, if your goal is cost savings, doing a detailed analysis of moving a deeply embedded legacy application to the cloud may reveal that such a move is in fact costlier than retaining it on-prem.
If you are trying to get to market more quickly but don’t have the skills or tools to support the cloud deployment, you may be defeating the purpose.
For current cloud deployments, how you are working in the cloud may be inefficient, failing to meet the goals you set out to achieve; or you may have neglected to build a proper cultural acceptance of the new cloud paradigm, which may effect success.
For both on-prem and cloud solutions, the security mission is the same, but the implementation is different. It’s important to assess whether you have the right tools and staff skills in place for your current and planned cloud usage.
Implementing a best practices security program that addresses both your cloud and remaining on prem environments is key and requires you to select tools that work across both and have staff with the requisite skills to take advantage of the built-in security tools available from your cloud providers.
You must also understand how the shared responsibility models impact your security requirements and leverage them to your advantage.
Many enterprises deep in the cloud can greatly improve how they are securing those services and consider more efficient models as they consume new services. Assess your opportunities to leverage security automation and consider how well you are integrating security as code automation into your CI/CD pipeline.
Today’s public clouds offer a wealth of security tool and information capabilities that provide excellent insight; we recommend you understand these capabilities and evaluate how well you leverage them, incorporating the security information and event data they provide into your security operations processes.
If you are ignoring cloud-native tools, you could be making your job a lot more difficult.
You should also evaluate how well you are leveraging cloud capabilities to scale your security program.
Getting Clearer: gaining visibility into the cloud
By assessing your cloud deployment for strategic and capabilities alignment, as well as the efficiency with which you are using and securing your cloud services, you can get better visibility to your security posture and the benefits you are gaining from the technologies.
Since the move to cloud has been erratic, often business driven, and in some cases, not fully planned, performing periodic assessments is essential to ensure you are meeting your business objectives with a cloud maturity check.