Cyril Segretain, Information Security Officer Europe, Uniqlo
Security needs to be thought by design. Included in the early stage of any application or digital project to be as efficient as possible and address the accurate risks. But security appeared after applications and securing legacy IT systems turned out to be a real challenge.
The multiplication of public and private cloud and solutions as a service such as SaaS, PaaS and IaaS answers a new trend to use external hosting providers and suppliers for applications. Most of the companies now use multiple cloud providers and solutions for their core business or support applications. Either cloud brought them new project and usage, or just a simple way to migrate existing applications to a cheaper hosting solution with great performance.
Migration to the Cloud is a real opportunity for Information Security departments and I feel that we can include ourselves directly in the migration project and review the security by design of the legacy application. The exact legacy application that we would never have been allowed to understand the windings and security only because “it works”. Moving this application to the Cloud is a good opportunity to change this to “it works, and it is secure” by understanding risks and reducing them.
Building a Cloud project management methodology will enable companies to introduce security by design and start the security by default for the next projects.
As Information Security professionals, we need to be proactive on understanding Cloud technologies and their security. Cloud solutions were built to answer most of the problematics of their customers, so they often include security tools or capabilities. Enabling and using the embedded security in the Cloud solutions might already raise the security maturity of the company and answer to some main business risks such as resilience.
If security, instead of being an obstacle in application development and deployment, becomes a driving force for Cloud migration and implementation, there will be a possibility to review the global architecture to adapt it to the Cloud by including security and performance at the same time. And your company will be able to present a more secure and efficient product to your customers based on these enhancements.
Legacy systems can be a real problem for companies as they need to be maintained for a very specific business purpose that tends to accept all risks linked to discovered vulnerabilities or depreciation. Migrating these systems to a Cloud solution will help covering new vulnerabilities in a more timely manner and limit technical depreciation.
But the ease of access and use of Cloud technologies brings an important risk around shadow IT where applications and systems are neither secured nor known by the Information Security department of your company. With any incident on these specific unknown systems, such liabilities will only be noticed when impacts are no longer acceptable. Using Cloud solutions in a company needs to be driven to avoid shadow solutions and unidentified risks.
Cloud solutions are still new and constantly changing, therefore risks linked to these technologies need to be assessed. Indeed, Cloud is used to transfer some availability and material risks to the Cloud provider. Risk analysis must be performed on Cloud systems to implement security and define clear scopes of responsibility of different stakeholders.
The growing use of Cloud solutions and platforms is a great opportunity for every company to include information security by design, but it needs to be framed by a risk analysis to define responsibilities and security needs.