| |DECEMBER - 20228CIOReviewIN MY OPINIONVULNERABILITIES IN THE CLOUDBy Steve Lodin, Sr. Director, Sallie Mae BankAs you move to the cloud, what happens to vulnerabilities? Depending on your implementation model and stage of modernization, it could be "a bit" better to "traditional vulnerabilities are gone" better. Overall, though, your risk perspective of vulnerabilities is better in the cloud, so make the move and enjoy the security benefits!Vulnerabilities Do Not Disappear When Moving to the CloudAs many companies are moving to the cloud, the ownership of vulnerabilities is affected much the same way that responsibilities of operations and ownership changes. The responsibility model shown in Figure 1 demonstrates the differences between where your data center happens to be, on-premise in your own data center, using Infrastructure-as-a-Service in a managed data center or the public cloud, using Platform-as-a-Service for serverless functions and capabilities, or Software-as-a-Service where everything is done for you. Vulnerabilities can be found and must be remediated in everything you are responsible for and manage.Methods to the MadnessEssentially, there are two ways to "move" to the cloud. How you move to the cloud impacts your vulnerability environment including the tools and processes to manage vulnerabilities. The quickest approach is to move your existing data center systems from a physical/virtual environment to the public cloud infrastructure provider. Some companies will move all their legacy data center systems in a "Lift and Shift" approach. Another longer approach in the migration is the hybrid method. Lift and Shift is massively impactful to all the data center assets, applications, and teams at once. The hybrid approach allows an organization to decide what moves, when it moves, and how it ends up in the cloud. Most companies follow this method and never completely eliminate their on-premise data center assets.Lift and Shift Approach Doesn't Promote Vulnerability EliminationMoving to the cloud with older, traditional legacy operating systems is the easiest way to Lift and Shift. Vulnerabilities don't change here at the server level, but they might be reduced at the infrastructure layer when networking, storage, and bare-metal servers are managed by someone else. Make sure you have strong contracts and you read the SOC2 in detail to verify strong security, including patching, with the provider. With a bit more effort, some companies will remove all the legacy systems and put all their existing applications on updated Steve Lodin
< Page 7 | Page 9 >