You are here
Home > Tech > Security > 5 steps to building a security strategy

5 steps to building a security strategy

Only a few years ago, security was at best an afterthought for some cloud teams. Everyone on the team thought security was someone else’s problem. For some less-fortunate organizations, this mindset did not change until a major security breach occurred, resulting in financial losses, reputational damage, and even job cuts. At that point, security became everyone’s problem—but that realization happened far too late.

How can you avoid this sort of suboptimal scenario when it comes to securing critical assets in the cloud?


Of course, IT security risks existed well before the cloud era. But today, cloud technologies bring a new dimension to the risk.

Due to the unprecedented ease and speed of infrastructure provisioning, business users can now provision their own cloud infrastructure. However, they may not be fully aware of corporate IT security guidelines— or they may not feel bound to follow them strictly.

This quick and easy provisioning can often lead to a proliferation of “temporary” workloads in the cloud.

Many of these workloads are not rigorously controlled, leading to idle resources that build up over time— and then become forgotten and vulnerable to attack.

Moreover, because data in the cloud can be stored anywhere, users typically don’t know where their data is located physically, or they have no control over location. Therefore, protecting confidential data becomes an additional challenge. Legislation in some countries, for example, mandates that confidential data from their nationals must remain within designated geographies.

To overcome these challenges, you need to develop a security mind-set at the very core of your cloud organization. Let me share what I see as some key steps in this process.

1. Build a broad awareness and knowledge base

All cloud team members need to understand the basics of security for their cloud platform. That includes not only the enterprise’s security policy, but also a broad awareness of relevant laws—for example, data protection— and compliance requirements— for example, Payment Card Industry (PCI) or Sarbanes–Oxley. It also helps to build some basic awareness of common security breaches.

To incentivize this learning, consider including security training as part of each team member’s personal goals—for example, as part of a management-by-objectives (MBO) process. Also include security awareness in new hire onboarding and individual training plans.

2. Break down technical silos

Technical silos occur quite naturally as specialists organize themselves into groups of expertise (networks and servers, operating systems and hardware, etc.). However, entrenched silos can easily cause gaps in security coverage. That’s because hackers are experts at finding fault lines between silos, those tiny gaps from which they can launch an intrusion. They will look for the weakest link wherever it might be found:

Passwords too easy to hack, unpatched operating systems, lax email security, defective firewalls . . . the list of risks is long.

Instead of relying on a silo mentality, the team must consider an end-to-end approach to security and assume breaches can occur in any layer of the infrastructure. In the same way that cloud services must be designed end to end across silos, teams need to work together to manage security risks.

3. Involve the business stakeholders

There are different ways you can set up your cloud organization. In VMware’s model, part of the setup involves building close working relationships with business stakeholders. You establish specific roles within this cloud organization model, such as service owner and customer relationship manager, to liaise with the business.

Security is a critical part of this IT-business partnership. Key actions that help ensure all stakeholders are on the same page include the following:

Establish clear responsibilities—for example, who patches the workloads? Who checks compliance? Document responsibilities and expectations (e.g., within the service-level agreements) Maintain regular communications about security between business users and the cloud team—for example, are there security-critical applications? Is there confidential data? If so, what is the level of confidentiality?

4. Automate day-to-day security and compliance checks

As part of operating a cloud, the team most likely uses tools such as software for cloud automation and IT operations management. These tools can be configured to enhance some of your security and compliance procedures—adding much-needed automation to routine, day-to-day activities that otherwise would consume the team’s effort and attention.

Here are some examples of actions your cloud team can take to leverage these tools for security and compliance:

Ensure provisioning blueprints are up-to-date with the latest security policy, such as patch levels.

Configure monitoring dashboards to display an aggregate view of compliance risk across your virtual infrastructure.

Configure monitoring dashboards to display an aggregate view of compliance risk across your virtual infrastructure.

Use your management tool’s ability to automate and report on compliance checks.

Explore the potential of automated integration with your support desk. Once detected, compliance or risk events can be automatically associated with incident-ticket creation and then acted on promptly

Automate as much routine compliance checking and security monitoring as possible, so the cloud team can focus on the big picture and work proactively to identify emerging security threats.

5. Shift the paradigm on network security with micro-segmentation

The traditional approach to securing a private cloud’s network is based on the fortress model: highly protected boundaries (e.g., the perimeter) and a gate to control traffic at the entrance (e.g., the firewall).

The downside is that once a network’s perimeter is breached and the first workload is compromised, the intruder can often move laterally to compromise other workloads with little or no challenge.

Micro-segmentation enabled by network virtualization allows fine-grained network security that can prevent not only the initial intrusion but also lateral movement and other subsequent actions. That’s because each workload can be isolated from the others and contain an intrusion. Micro-segmentation also offers the possibility of tailoring security policies down to the workload level, therefore increasing the level of control over cloud security.

Leveraging this potential requires a shift from a static security model to a dynamic one. It also requires the cloud team to develop new skills. For example, supplementing skills in routine configuration with those in automation entails complementing traditional network proficiency with design and programming expertise.

Think of security as teamwork. Encourage your cloud team to coordinate security across silos: users, cloud engineers, security teams, and so forth.

Leverage your cloud and IT operations tools to automate some of your security and compliance procedures.

Transform your team’s perspective on network security by incorporating micro-segmentation enabled by network virtualization, moving from a traditional fortress security model to a dynamic, fine-grained approach.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.