Ten Practical steps can be implemented as a process for fortifying cyber security in the public cloud. There is step wise process for cloud migration plan and process for protecting the assets in the hybrid and multi-cloud environment

  1. Decide which workloads/applications to move to the public cloud. For example, many organizations choose to move test and development environments first or for utilising state of art analytical capability of cloud workloadstothepubliccloudinitially, whilekeepingcore/regulated or latency sensitivetransactionsystemsonpremises or in Private cloud. After this firm plan,customercan determine security requirements for workloadsthataremigrated.
  2. Identify at least one CSP- Cloud Solution Provider capable of meeting security requirements for the workloads. Companies may choose multiple providers for different workloads, but the selection should be consistent with the objectives of the companies’ overall cloud strategies.
  3. For each workload, determine the level of security to enforce for each of the control areas. For example, companies should determine whether IAM should use single-factor authentication, multifactor authentication, or a more advanced approach such as user behavioural based authentication. Company can choose third party Cloud Security Posture Management- CSPM for strengthening security enterprise wide in hybrid and multi-cloud environment.
  4. Assign a security template to each workload based on the ease of migration, security posture, cost considerations, and internal expertise. For example, companies can plan, remediate and implement applications and use default CSP/cloud controls for customer-facing workloads and lift and shift internal core transaction apps without remediation while routing the data access for internal users through Private data Centre- Backhauling only. This will degrade the performance of hair-pinning but is the safest option keeping in view of complexities involved in other options.
  5. Decide which security solutions to use for each workload’s/applicationaround security control areas. Given the capabilities of the CSP’s identified for each workload, companies can determine whether to use existing on-premises security solutions, CSP- provided or native solutions, or third-party solutions for enterprise wide CSPM tool or implementation of zero trust network access- ZTNA for controlling access from end point and misconfiguration of cloud configurations.
  6. Prioritize the first set of controls to implement, create checklist and implement. Controls can be prioritized according to the importance of the applications that are being migrated to the public-cloud environment. Company should also create the SOP’s and checklist with details for the details of each control which is implemented against each apps or for the IT landscape.
  7. Develop a view on whether each control can be standardized and automated. This involves analysing the full set of controls and making decisions on which controls to standardize across organizations and which one to automate for implementation. Company should have the formalised list of all controls implemented for periodic review by Inside and external audit agencies.
  8. Implement the controls and governance model. For controls that can be standardized but not automated, companies can develop checklists and train developers/cloud administrators on how to follow them. For controls that can be both standardized and automated, companies can create automated procedure to implement the controls and to enforce standardization using a secure DevOps approach.
  9. Use the experience gained during the first wave of implementation, migration to pick the next group of controls to implement. Drawing on this experience will also help to improve the implementation process for subsequent sets of controls. Security posture improvement is a journey not a onetime activity, there should also be a process of adaptability and capability of quick changes as per the new security threats and development in the cloud environment.
  10. Work closely with the Cloud or implementation Partner to implement the necessary controls and to integrate them with other existing security solutions. This requires companies to gain a full understanding of CSP’s security capabilities and security enforcement processes.

In a nutshell, cloud implementation and migration are not a one-time job but need proper planning for avoiding rework, reimplementation and additional investment for additional control in a later stage after identifying major gaps coming out due to IT audits or guidelines and new framework from regulatory bodies or from security incidents.