As the Cloud moves from hype to initiation and growth, organizations are considering larger migrations of systems that have wide-reaching effects on IT and security departments. Clearly, there have been a number of tools and trends that drive higher levels of workforce performance and lower IT costs. Advanced collaboration technologies, mobile solutions, border-less networks, cloud computing and the convergence of voice, data and video are moving toward a much more efficient environment. In the past, systems were built with security mostly as an afterthought. But with regulations and reputation concerns at the forefront of many board of directors’ minds, risks must be accounted for along with the associated rewards that the advancement provides.
From Current State to the Desired State
A chance to build it right…right from the beginning
We are seeing that CIO’s and CISO’s are taking this opportunity to ensure that the network and associated systems’ infrastructure is designed, implemented, and ultimately managed securely going forward. Many times this is done in a way that was previously unattainable with legacy systems and ingrained processes. It’s imperative that the overall controls implementation be managed effectively – from
vendor management to assisting with policy decisions. With many moving parts and a limited time frame, the stress from a project management perspective can be 
significant.
With that in mind, it is important to identify the Current State (CS) by performing two simple assessments, detailed below. From a high level, this allows an organization to incorporate both tactical and strategic methods to move from the CS to the Desired State (DS), and ultimately to a managed or SecureState (SS). The recommendations provide value at the strategic, program-level combined with the tactical steps needed to put the strategy into place.
Security and Regulatory Gap Assessment
Starting at the high level, there needs to be an understanding of regulatory and other risk-based security controls you’ll face as you migrate systems and processes to private or public cloud infrastructures. Specifically, some of the goals for a Security and Regulatory Gap Assessment (or Control Review) include:
- Gain a baseline of the security and compliance requirements of the new environment
- Utilize a standardized approach to ensure consistent application of security controls
- Insure the controls are appropriate for the service being provided
- Identify areas of accountability to assess, authorize, and monitor the environment
A Regulatory and Security Gap Assessment will identify and establish the right security controls to demonstrate compliance, improve security visibility, and outline areas requiring remediation or more stringent controls. This will also provide the foundation for a uniform approach to risk-based security management.
Security Architecture Review
Taking it to the tactical level, we need to know exactly what should go where to give us the best opportunity to build security in with the greatest return and positive impact to the architecture. This is accomplished by an architecture review. Goals for this include the ability to:
- Gain a baseline of the desired state of the network and application infrastructure
- Understand IT expectations and accountability
- Determine if the architecture supports the company’s security requirements
- Identify security flaws that may be present within the setup of the architecture
- Identify areas where re-architecture and additional testing are required
A Security Architecture Review will review the proposed network and application architecture and data flows for security flaws that may be present within the setup of the architecture. This identifies components of a system, maps dependencies, and identifies trust boundaries between systems to determine if the architecture supports the company’s business needs and security requirements.
It’s not what we don’t know that gets us into trouble. It’s what we think we know that ain’t so.
Common sense dictates that security should not be an afterthought or add-on. Clearly security must be treated as an integral part of the overall system design. As an IT delivery organization, it is easy to find technical products that can address the known problems. Typically however, organizations do not accurately know the assumptions that were made in the past, the latest changes, and the data and
demands that will befall them in a change like this. Experts are best at understanding the CS—what needs to be done to prioritize, provide, and maintain the proper security controls that support the business model. While this seems easy, without ensuring that ‘we know what we know’, getting to your DS becomes fraught with additional time and resources. Change that could have been easily forecast in the beginning can drag the project down. This usually results in unnecessary spending by, and/or risk to, the organization. With the cost savings of a cloud migration in the tens or hundreds of thousands of dollars each and every year, a few simple assessments in the beginning have tremendous benefit.