New whitepaper: CISO’s guide to Cloud Security Transformation
Phil Venables
VP, TI Security & CISO, Google Cloud
Nick Godfrey
Senior director, Office of the CISO, Google Cloud
Whether you’re a CISO actively pursuing a cloud security transformation or a CISO supporting a wider digital transformation, you’re responsible for securing information for your company, your partners, and your customers. At Google Cloud, we help you stay ahead of emerging threats, giving you the tools you need to strengthen your security and maintain trust in your company.
Enabling a successful digital transformation and migration to the cloud by executing a parallel security transformation ensures that not only can you manage risks in the new environment, but you can also fully leverage the opportunities cloud security offers to modernize your approach and net-reduce your security risk. Our new whitepaper shares our thinking, based on our experiences working with Google Cloud customers, their CISOs, and their teams, on how best to approach a security transformation with this in mind. Here are the key highlights:
Prepare your company for cloud security
Whilst it is true that cloud generally, and cloud security specifically, involves the use of sophisticated technologies, it would be wrong to consider cloud security as only a technical problem to solve. In this whitepaper we describe a number of organisational, procedural, people and policy considerations that are critical to achieving the levels of security and risk mitigation you require. As your company starts on, or significantly expands its cloud journey, consider the following;
Security Culture. Is security an afterthought, or nice to have, or deemed to be the exclusive responsibility of the security team? Are peer security design and code reviews common and positively viewed, and is it accepted that a culture of inevitability will better prepare you for worst case scenarios?
Thinking Differently. Cloud security approaches provide a significant opportunity to debunk a number of longstanding security myths and to adopt modern security practices. By letting go of the traditional security perimeter model, you can direct investments into architectures and models that leverage zero trust concepts, and so dramatically increase the security of your technology more broadly. And by adopting a data-driven assurance approach you can leverage the fact that all deployed cloud technology is explicitly declared and discoverable in data, and build velocity and scale into your assurance processes.
Understand how companies evolve with cloud
When your business moves to the cloud, the way that your whole company works—not just the security team—evolves. As CISO, you need to understand and prepare for these new ways of working so you can integrate and collaborate with your partners and the rest of your company. For example:
Accelerated development timelines. Developing and deploying in the cloud can significantly reduce the time between releases, often creating a continuous, iterative release cycle. The shift to this development process—whether it's called Agile, DevOps, or something else—also represents an opportunity for you to accelerate the development and release of new security features. To take this opportunity, security teams must understand—or even drive—the new release process and timeline, collaborate closely or integrate with development teams, and adopt an iterative approach to security development.
Infrastructure managed as code. When servers, racks, and data centers are managed for you in the cloud, your code becomes your infrastructure. Deploying and managing infrastructure as code represents a clear opportunity for your security organization to improve its processes and to integrate more effectively with the software development process. When you deploy infrastructure as code, you can integrate your security policies directly in the code, making security central to both your company’s development process and to any software that your company develops,
Evolve your security operating model
Transforming in the cloud also transforms how your security organization works. For example, manual security work will be automated, new roles and responsibilities will emerge, and security experts will partner more closely with development teams. Your organization will also have a new collaborator to work with: your cloud service provider. There are three key considerations:
Collaboration with your cloud service provider. Understanding the responsibilities your cloud provider has (“security of the cloud”), and the responsibilities you retain (“security in the cloud”), are important steps to take. Equally, so are the methods you will use to assure the responsibilities that both parties have, including working with your cloud service provider to consume solutions, updates and best practices so that you and your provider have a “shared fate”.
Evolving how security roles are performed. In addition to working with a new collaborator in your cloud service provider, your security organization will also change how it works from within. While every organization is different, it is important to consider all parts of the security organisation, from policies and risk management, to security architecture, engineering, operations and assurance, as most roles and responsibilities will need to evolve to some extent.
Identifying the optimal security operating model. Your transformation to cloud security is an opportunity to rethink your security operating model. How should security teams work with development teams? Should security functions and operations be centralized or federated? As CISO, you should answer these questions and design your security operating model before you begin moving to the cloud. Our whitepaper helps you choose a cloud-appropriate security operating model by describing the pros and cons of three approaches.
Moving to the cloud represents a huge opportunity to transform your company’s approach to security. To lead your security organization and your company through this transformation, you need to think differently about how you work, how you manage risk, and how you deploy your security infrastructure. As CISO, you need to instill a culture of security throughout the company and manage changes in how your company thinks about security and how your company is organized. The recommendations throughout this whitepaper come from Google’s years of leading and innovating in cloud security, in addition to the experience that Google Cloud experts have from their previous roles as CISOs and lead security engineers in major companies that have successfully navigated the journey to cloud. We are excited to collaborate with you on your cloud security transformation.