Cloud Adoption & Migration: Making Security a Priority in Your Strategy
Date: 25 November 2021
Agility, scale and resilience are just some of the reasons why businesses across the globe are moving to cloud environments. While initially the cloud may have become popular thanks to the cost advantage it offered, soon other business benefits became the key drivers for adoption. Yet securing the cloud while achieving business agility remains a constant challenge for most businesses.
Cyber Management Alliance’s recent webinar, hosted in association with Tufin, the US-based Security Policy Management Company, sought to explore why securing the cloud is a challenge. Watch the Webinar titled, “Cloud Adoption & Migration: Making Security a Priority in Your Strategy” to listen to the experts explain how DevOps and Security teams need to be able to collaborate more seamlessly and move forward from legacy processes to tap into the true benefits of cloud migration.
Panelists in the webinar:
Amar Singh, CEO and Co-founder, Cyber Management Alliance
Jonathan Campbell, Technical Manager of Cloud, Tufin
Sattwik Gavli, Director for Cloud Products at Tufin
Key topics covered in the webinar:
- What’s driving Cloud migration?
- What’s the challenge in securing cloud environments?
- Unique challenges of Hybrid Cloud Applications
- How can Tufin’s solutions help?
- What is Tufin SecureCloud & what are its key features?
Business Benefits of Cloud Adoption:
The webinar opened with a deep-dive discussion into the key business benefits of cloud adoption. Sattwik summed them up as follows:
- Enhanced agility allowing businesses to bring products to market quickly.
- Improved customer satisfaction and loyalty thanks to unprecedented speed of customer concern resolution.
- It allows the business to scale up in line with market demand.
Challenges in Securing the Cloud:
While cloud migration is clearly great for business agility, there is a problem that customers are facing in today’s business environment: How to increase security while maintaining agility. Sattwik elaborated on this problem in detail in the webinar. Everyone wants to strike this fine balance, he said, but most businesses seem to be struggling to achieve success.
The issue is that everyone still seems to be using the same legacy approaches they used to use to secure their on-prem environment for their cloud environment and that simply can’t work.
A bunch of the cloud security issues that arise today are due to misconfigurations or human error. The environments are misconfigured usually because humans don’t take full advantage of all the automation and solutions (like oxeye.io) that’s available to them. In fact, the webinar highlighted that a recent Gartner report said that 99% of cloud security failures happened due to misconfigurations, clearly making it a massive challenge that needs addressing.
The other reasons why misconfigurations occur are:
- A lack of visibility
- Fragmentation of Hybrid Cloud/Multi Cloud
- Scarcity of the right skillset in people
Businesses have typically used Firewalls to secure their on-prem environments for all these years. And this has actually been successful and sufficient. However, when it comes to Cloud, just having Firewalls is far from being adequate protection. There is just too much more that you need to think about when it comes to Cloud security such as:
- Incorrectly secured buckets
- Insecure ports in use
- Overly permissive networks
- And of course, misconfigurations
Challenges of Hybrid Cloud Applications:
The webinar then moved on to show a really simple example of a Hybrid Cloud Application and how it is challenged when it comes to security. In a hybrid application, there will usually be two different teams responsible for managing its security and neither team will have end-to-end visibility of the entire flow between the hybrid application components.
Sattwik reiterated that if you don’t have the right contextual visibility of your end-to-end network, there are bound to be misconfigurations - you’ll either end up leaving things open to vulnerabilities or being over-protective such that you’re always dealing with false positives. Collaboration between these two teams is very important.
Jonathan then stepped in to elaborate on this key aspect of Hybrid Cloud Security - Collaboration. The issue today with most businesses, he explained, is that the security teams continue to manage the on-prem traditional environment using their legacy workflows, but they don’t normally participate in the DevOps and CloudOps practice. The need of the hour, however, is to have the two teams really collaborate well and making sure that security policy is something that is being used as a test in this automation cycle.
The question that arises is how to make this happen? Jonathan summarised the answers as the following:
- Allowing public cloud visibility
- Ensuring that you’re compliant with the security guardrails that have been put in place
- Include DevOps earlier in the Network and Security Operations
How does Tufin fit in here?
Clients using Tufin’s solution can manage to deal with the challenges of cloud, hybrid cloud and multi cloud environments thanks to the following features it offers:
- Visibility into what’s going on – including an “app-centric” view of all network security assets and cloud services, and their access & connectivity configurations
- Helps you identify overly permissive security configurations, and automate remediation rules
- Let’s you design policies and deploy them as “guardrails” for your cloud team members
- Enables you to be continuously “audit ready”, via it’s unified reporting and policy engine
- Helps you inject security policy into your DevOps & CI/CD automation pipelines
Further explaining how Tufin can help, Jonathan quoted an example from some recent work he did with a customer who had an existing manual approach to application development where the DevOps team would add new connections with no security policy checks and the security team would get visibility of the new connections very late in the cycle, causing delays and friction in the production process. The client wanted the entire process to be automated with security being involved early in the process. By deploying Tufin’s solution, every connection that was added was already compliant with the security policy and the security testing process before production became much shorter. This meant that the developers always had the latest guardrails and security was no longer being seen as a business blocker.
Tufin’s SecureCloud & its USPs
The webinar then focused a little bit on Tufin’s SecureCloud and what it can really do for clients. Tufin SecureCloud is a network-centric Cloud Security Posture Management tool and the newest addition to the Tufin Orchestration Suite. Its USPs are that it offers enhanced visibility, automates network security policy design, and supports any mix of on-premises, private cloud, public cloud, and Kubernetes infrastructure.
It also allows businesses to establish Security-policy guardrails through auto-generated native network policy controls. One can Segment workloads for east-west as well as north-south traffic to reduce the attack surfaces in the public cloud. Further, it enables Continuous Compliance with the ability to automate a CI/CD pipeline with APIs.
The main advantage of SecureCloud is that it ensures that the business benefits of moving to cloud computing are not compromised by slow moving security processes. It actually accelerates the migration of workloads to the Cloud by eliminating security and compliance concerns.
Jonathan, in fact, encouraged all listeners of the webinar to try out SecureCloud for a free cloud security assessment to know the risks in their environment at tufin.com/try-securecloud.
To know the full extent and depth of how Tufin’s SecureCloud can benefit your organisation, listen to the webinar.
To access similar high-quality and educational content, subscribe to our BrightTALK channel.