Assessing Risk in Cloud Migration and Automation

 My CSA Cloud Security Risk Ratings 

Security Concerns: major challenge (One mistake has far-reaching effects.)
Data loss and leakage risks: major challenge (One mistake has far-reaching effects.)
Regulatory Compliance: major challenge (It is possible to have considerable AWS knowledge without having adequate knowledge of laws and regulations.)
Integration with the rest of the IT environment: moderate challenge (Encrypted VPN tunnels to facilitate communication over the internet are necessary for secure cloud communication with the rest of the internal infrastructure. While VPN isn't too bad to set up, it needs to be setup by a knowledgeable professional. It requires maintenance by a knowledgeable professional.)
Legal Concerns: major challenge (It is possible to have considerable AWS knowledge without having adequate knowledge of laws and regulations.)
Cost: major challenge for large companies, minimum challenge for small companies (One experienced DevOps engineer can set alarms and guide an organization to make cost-efficient choices. Large, complex infrastructures become expensive without adequate planning and careful selection.)
Visibility into resources in the cloud environment: no challenge (visible with built-in tools)
Migration of application to the cloud: minimum challenge (Migrating to the cloud is no different than any normal migration, which occurs regularly in software development.)
Lack of expertise to manage the cloud environment: moderate challenge (Hiring one experienced DevOps engineer significantly reduces risks associated with a lack of expertise. One experienced engineer can train an entire team over time. Without hiring an experienced DevOps engineer, this becomes a major risk.)
Lack of staff to manage the cloud environment: no challenge (Even a small 2-3 person team can manage a large cloud infrastructure. Even a single experienced DevOps engineer could manage a small infrastructure.)
Vendor Lock-in: Major Challenge if not doing IaaS

Why organizations call out for more automation over improving existing infrastructure in the cloud

Organizations want to receive notifications before there is a major problem. Automation can assess predefined health checks. One area of concern is when customers seek automation over existing infrastructure to reduce the need for expertise on their IT teams. Cutting corners on cloud security in a DevOps environment with automation leads to severe problems. Automation should be a tool to improve a safe DevOps environment, allowing established processes to run more smoothly. It should not be a replacement for expertise, as suggested in the survey. I actually think using automation as a security aid for a lack of expertise in a complex cloud environment is the worst advice I’ve ever heard.

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more