Back to Basics: Maintaining Cloud Migration Oversight While Navigating the New Normal

On the fifth and final installment of our Remote Work Readiness Series, Rapid7 taps industry insiders for what the future of security leadership might look like as we enter the next phase. From successful cloud journeys to the benefits of user- and service-based security controls, get their take on everything risk management as we find a new normal.

Moving forward with cloud migration and acceleration

Perhaps the most obvious industry change in recent months is the massive shift to a remote workforce. The home network is the new corporate network, and with everyone working from home, the need for remote endpoint security looms large. Security teams must find the tools to protect and monitor activity on networks trafficked by other devices. If the current asset environment is like an island in the middle of the ocean surrounded by vicious sharks, it’s not necessarily ideal for workstation security.

Related: See how the Rapid7 Insight Platform helps you monitor and secure your remote workers

What’s more, because of the new environment, the economically constrained among us cannot simply adopt controls from the past. To optimize limited operating budgets, consider flexible partnerships, such as managed services, with the intention of reassessing the arrangement further down the road.  

Our experience with COVID-19 may not have changed how we think about the cloud, but it did accelerate users down the path to cloud migration, fueled by SaaS applications and cloud infrastructure. Successful cloud migration projects don’t require overhauling every program and compliance process. Rather, staying consistent with existing controls typically suffices for the desired technical transformation.

Keeping your business continuity plan in check

Security teams have demonstrated their excellence as partners in cloud acceleration. As security functions return to normal, teams can expect less reliance on data centers and a shift toward more agile solutions. However, you will face logistics issues if you try to meet this demand by simply replacing a disk and installing a new server. It’s not like everyone could have anticipated this situation, or how adequately their supply chains could respond.

So, it’s time to revisit your business continuity plan. Embracing citizen IT can encourage security to deploy infrastructure that improves our ability to navigate newly adopted cloud environments. As we continue growing into the cloud, it will become crucial for organizations to identify and keep track of what they own.

Whether you monitor only your own users or run a honey network sensing traffic from the world over, your understanding of remote networks can only go so far. And if our new world includes cloud-based migration, everyone should be informed of potential cloud environment misconfigurations as they arise.

For example, other cloud environments may configure resources statically linked to more ephemeral sources, like IP addresses. If apps think they’re connected to IP addresses they no longer own, someone else may receive accidentally disclosed data due to misconfigurations. It’s important to understand those resources to manage risk effectively.

Finally, we should all remain aware we might be occupying infrastructure once owned by someone else, and boost resiliency for applications and services deployed in these environments.

Customer-focused service and privacy assurance

For all their technical focus, security specialists often fail to acknowledge the people behind the laptops. Yet those people can be your greatest vulnerability or your best line of defense. The “service” aspect of customer service isn’t really a two-way street—people seek out security providers for their expertise, but not vice versa. Still, people maintain trust when it’s properly nurtured, and security providers don’t want to pass along a company laptop and then ignore their customers. So in order to protect the business, it’s worth revisiting what “customer-oriented” means as we reopen. Yes, provide assurances of robust security, but without invading privacy or any creepy intrusions.

And speaking of privacy, company-issued devices present their own dangers. If someone other than the authorized recipient might use it, they could expose sensitive information, and this behavior can have a massive impact on vulnerability management.

Additionally, users aren’t necessarily limited to company-issued assets. The overlap between personal and company computing creates expectations around privacy that are difficult to enforce. Say you access your company email from your kid’s iPad, or use your work laptop to manage your personal Google Drive. This can lead to cross-pollination of information and create a new set of exposures. It’s worth considering how these situations should influence smart policy drafting and training.

Returning to security fundamentals

To limit risk, it never hurts to reinvest in security fundamentals. What we do to effectively respond to threats needn’t change so much as how we respond. Confronted with our new situation, we shouldn’t just toss out the book and start over—instead, we should rely on our tried-and-true basics that have sustained us until now.

Of course, your response depends on your security readiness and what your team is capable of understanding and supporting—and in the current climate, so many IT professionals are learning on the fly. It’s helpful to note the perimeter has now changed, and this means we need to apply extra care to ensure nothing slips through the cracks. Monitor the data flow, secure critical infrastructure, and cautiously embrace technologies to ensure you don’t introduce new risks.

Listen to the full webcast

Rapid7 thanks our security leaders for taking the time to discuss their security forecasts and insights into minimizing risk as we move forward. And we thank you for joining us for our Remote Work Readiness Series finale—be sure to listen to the webcast in its entirety.