According to a recent study published by Gartner Inc., end-user spending on public cloud services could grow 23.1% in 2021, reaching US$332.3 billion compared to $270 billion in 2020. There are many reasons why a company will move to cloud-based tools, including cost and scalability. There is, of course, an increasing need for flexible tools to enable effective collaboration between employees, especially as we move forward with a new hybrid working environment.
Migration to cloud-based collaboration tools such as chat, video conferencing, file-sharing and others requires a great deal of cross-functional work between multiple teams to outline the business needs and translate them into technical and security requirements. Obtaining a complete consensus among all stakeholders often becomes the more challenging part of a cloud migration project.
Over the past years, I supported the implementation of dozens of cloud-based collaboration platforms across multiple companies from all over the world, and I observed that a large percentage of these projects have common problems. I will summarize the most critical ones:
- First and foremost, it is rare to find companies that will take the time to create detailed use cases that describe the workflows of how the tools will be used, by whom, and for what purposes.
- Second, there is an evident lack of effective cross-functional collaboration between business, IT and security teams to drive cloud migration projects to successful completion; each group has its agenda and priorities. Often, they don’t blend well.
- Third, companies usually forget that there is no such thing as a “one size fits all” security approach. How we use a piece of software determines the necessary measures to protect confidentiality, integrity and availability, and the “how” is rarely documented.
For example, in a company with multiple business units using a common conferencing cloud-based platform, there may be more than one valid use case with more than one set of regulatory or contractual security requirements. Implementing an “out of the box” platform with no tailored security measures for each use case will likely lead to non-compliance and potential security incidents. What works for a marketing department might not work for Research and Development.
In the 2020 Magic Quadrant for Meeting Solutions (see Figure 1), Gartner Inc. describes 15 SaaS suppliers and their vision. Microsoft, Cisco and Zoom remained the leaders back in October; however, more options are growing in popularity and market share. Innovation in these solutions becomes a business priority, and with the continuous introduction of new features, new security concerns come into the game daily.
Figure 1.Magic Quadrant for Meeting Solutions
Source: Gartner (October 2020)
For a security professional, ensuring that a new platform has the necessary safeguards to protect data is a never-ending challenge. Enabling open collaboration between the various stakeholders becomes crucial to resolving it.
Let me share some of the best practices I have learned over the years.
- Understanding the business needs. It is worth asking multiple times how a platform will be used, by whom, and for what purposes. Being mindful of cultural and terminology differences will help to bridge the communication gap between different stakeholders when conducting this activity. What “chat conversations” means to a security practitioner could mean “file sharing and transfer” to an operations manager.
- Clear and detailed use cases. A single platform could address multiple needs. Using a SaaS chat tool for communication between departments is different than using it to enable remote control; a PaaS file storage system may have numerous applications based on who is using it. Creating clear and detailed use cases will support the business and the security practitioners to find the best possible approach to add adequate security measures in the solution’s design.
- Define and document data flows. Do you know all the places your data transits and is stored? A comprehensive cloud migration plan must include a detailed data flow describing where the data goes and how it gets there. This will be valuable when designing controls, such as encryption, authentication, network access, etc. In many instances, maintaining a detailed data flow will also support regulatory compliance when using a cloud-based platform.
- Implement security and privacy by design. A cloud migration plan must consider the security and privacy ramifications for using the proposed platform; we must consider these from the beginning of the project. Once the migration plan is final, and before moving forward with implementation, all stakeholders must ensure the necessary measures to protect confidentiality, integrity, and availability of the data are part of the final design. Implementing a non-compliant/insecure platform will likely lead to a higher cost in the long run.
- Continues monitoring. The way cloud-based tools are used changes constantly. Enabling strong partnership and communication between the various stakeholders will help identify changes that may trigger updates in use cases, data flows and security measures. The business needs are in constant evolution; it is our duty as security professionals to keep supporting our business partners and providing valuable guidance to navigate these changes.
Various international guidelines outline best security practices for implementing cloud services. However, their application will significantly depend on how the services operate and how data flows through them. Nonetheless, here are some valuable resources:
- ISO27017:2015, as an extension of ISO27002, provides a detailed approach to reduce potential risks in cloud-based environments.
- The Cloud Security Alliance (CSA) recently released version 4 of the Cloud Control Matrix (CCM) and has provided timelines for companies enrolled in the STAR program for a complete transition. This blog from the CSA offers additional details.
- In collaboration with CSA, ISACA recently released the Certificate of Cloud Auditing Knowledge (CCAK); read more about it in this ISACA blog post.
No matter what role you play in implementing cloud-based platforms, be mindful that processing data through third-party software has multiple security and privacy ramifications. Achieving a successful deployment will depend on the effectiveness of the cross-functional work and alignment between the different stakeholders.