Cloud Computing is now mainstream – but are you ready?
You can’t ignore the relentless march to everything in the cloud with cloud adoption truly moving into mainstream these days. Organisations in almost every country and industry now acknowledge the value that the cloud has to offer and are embracing the use of cloud services. Public sector is also doing a catch-up in this space. For the past few years, public sector adoption of cloud computing has accelerated, and a recent report found that this process is now reaching a tipping point.
However, it’s important to appreciate the very real security and risk concerns when moving your enterprise IT from a traditional in-house model to the cloud.
I’m not saying the cloud is less secure than your enterprise IT environment. In fact, it’s the opposite for most organisations that move into the cloud, partly because the leading cloud providers invest heavily in making their cloud very secure. Most of this investment is beyond what your typical enterprise IT or even organisation can afford. So it makes sound business judgment to leverage the millions – if not billions – of dollars in investments leading cloud providers have poured into their offerings.
Nevertheless, the ultimate responsibility for securing your corporate data in the cloud lies with you and your organisation. Securing your data in the cloud presents a number of challenges depending on the cloud deployment model you choose – Private, Public, Community or Hybrid. These challenges could be around government regulations, cross-border policies, code of practice, industry regulations and consumer and user privacy issues.
So while moving to the cloud is mostly secure, commercial and legal risks can be further minimised if you address and implement what I call the 4 critical pillars of secure cloud adoption. They are:
Understanding your organisation’s regulatory compliance requirement is a crucial step when adopting cloud strategy. This could be PCI, HIPAA or other similar regulatory requirements.
One classical example is data sovereignty. From my experience, I see clients or prospects interested to know the geographical locations where their data is stored or will be stored. This is because different regulations apply to different jurisdictions. For instance, Australian policies apply to your data stored within Australia. Likewise, U.S. Privacy Act may apply if your corporate data resides in the U.S. These regulations are generally enforced by industry regulators such as APRA, which is the financial industry watchdog in Australia. In its last report, APRA effectively put banks on notice regarding their cloud consumption practices due to data sovereignty, among other issues.
One way to address this issue is to choose a cloud provider that has a track record deploying on-premise cloud solutions. This is not to say public cloud providers can’t be used. In fact, most of the leading public cloud providers have attempted to address this concern. However, you need to make a decision based on your regulatory compliance requirements and not on what a cloud service provider’s brochure claims. Even if their marketing material claims adherence to compliance, don’t take it on a face value; ask for proof.
Understanding which cloud environment is the right one for you is essential to ensuring a safe journey to the cloud. Many organisations choose a multi-tenancy option because multi-tenancy is the foundation of the public cloud and relates to sharing of cloud resources. Its main attraction is cost-effectiveness. Cloud sharing can cover compute (vCPU, vRAM), storage, internet and more.
The equivalent of Public Cloud would be living in an apartment block and having flat-mates who share the unit or the room with you. The IT industry’s term for this is “multi-tenancy” and refers to other residents in the cloud sharing resources with your organisation. In the roommate scenario, it would be like your roommate sharing facilities, such as the kitchen, living room and bathroom, with you.
On the other hand, if you live in a house without flat-mates where you’re the only person to use and access the kitchen, bathroom, living room, etc., this is equivalent to Private Cloud. Multi-tenancy would therefore not be of concern to your organization if you adopt Private Cloud.
Now, if a Public Cloud service provider experiences some kind of cyber-attack, say a Distributed Denial of Service (DDOS) attack, this has the potential to affect everyone using the multi-tenanted environment. You can see how this can create a massive headache for clients that share the same environment. Because a DDOS has a tendency to hog the shared resources to a point where it makes the resource virtually unusable, it’s a little like being stuck in traffic while on your way to work.
There have been actual incidents where hackers compromised a guest instance and used that to attack the rest of the cloud instances sharing the same host, as well as attack the hosts within the same cluster. Fortunately, some security vendors were proactive in coming up with a cloud native version of their security solutions to address and mitigate the risk.
Recently, there were also widely publicised public cloud outages that impacted numerous organisations. Interestingly, despite the outage of the common infrastructure, some small number of organisations didn’t suffer any negative impact, thanks to in-built redundancy that allowed them to failover to an alternate site.
The lesson here is that you must arm yourself with as much knowledge as possible about the potential risks multi-tenancy can impose on your business. It’s important to carefully weigh the advantages and disadvantages of multi-tenancy versus Private cloud – especially if you operate in a highly regulated industry like pharmaceutical.
- Identity and Access Management (IAM)
To truly ensure your cloud uptake is secure, you should address Identity and Access Management (IAM). This covers the overarching issue of establishing identity and then using that identity to control access to cloud resources. Identity and access management is fundamental to cloud design, as you must be able to establish the identity of a cloud consumer and then manage their access to resources within the cloud environment. However, it’s important to remember that IAM also applies to administrators and to services that may access your cloud.
Essentially, the IAM answers three basic questions:
- Who is authorised to access corporate data in the cloud?
- What level or privilege is this authorization at?
- Do we know what is going on (auditing)?
To adequately answer and address these questions, you will need to work with an organisation that has experience securely moving similar clients to the cloud. Make sure the security tools they suggest are cloud native tools, preferably Software as a Service (SaaS) based and independent from the public cloud service provider ecosystem.
- Cloud Access Control
Most enterprise cloud users access resources via the Internet or some kind of management console provided by their cloud provider or third party. This increases enterprise IT risk, not only from browser vulnerabilities but also from the possibility that accounts with elevated privileges will fall into the wrong hands. The presence of Shadow IT in your enterprise only magnifies the access threat.
Shadow IT is an industry term describing the challenges presented by employees and business departments that bypass internal IT to acquire and use cloud resources from a public cloud provider. The most efficient way to address this is to step back and get a holistic view of the organisation’s security posture, and then take appropriate risk mitigation action. This may include security awareness campaigns for employees, conducting further staff training, etc.
Gartner identified Cloud Access Control as a critical security imperative and recommends that organisations get as much information as they can about the people who manage their data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says.
Other Cloud Security Elements
Following are some related and supporting elements worth thinking about to make corporate data in the cloud more secure:
I’ll be covering these crucial cloud security elements in my next upcoming article, so stay tuned.
Assad Jees is a 20 year IT veteran specialising in next-generation technologies such as cloud.