02 October 2021 | Scott Nursten
On-demand availability, scalability, measured services, accessibility from anywhere … the benefits of cloud infrastructure are many. However, this does not mean cloud is a magic bullet guaranteeing success. And, contrary to popular belief, cloud does not automatically take care of cyber security either.
Why does your business need the cloud?
I hear organisations state three reasons for cloud adoption, and they’re not the best. One: to save money. Two: to remove the hassle of running and maintaining their own servers. Three: because everyone is doing it.
Better reasons could be to drive resilience, provide services in different geographies or to new clients. Specific service requirements are another good reason. As an example, if a key service depends on a web application, it makes sense to be in the cloud, instead of trying to create global, resilient web architectures yourself.
Even with a clear reason to migrate, it still doesn't mean that your entire business belongs in the cloud yet. Using a cloud adoption framework and ensuring your ‘why’ is aligned with your security strategy should come first.
How responsibility for security is shared between you and your cloud provider
It is a huge mistake to assume your cloud provider takes responsibility for your cyber and data security.
All major providers - AWS, Google Cloud, Azure, DigitalOcean, Linode, Rackspace - specify their own terms and conditions regarding which areas of security they manage.
Most commonly, the provider takes responsibility for physically securing their data centres to an extremely high standard: SOC2/3 or ISO 27001/27018 for example, or multiple of these.
They secure their own management, virtualization and storage platforms. In addition, some level of distributed denial of service (DDoS) protection is usually included. So, if someone tries to take out their cloud through mass traffic attacks, they’ll be stopped upstream before they reach your network.
Your security responsibilities
Securing your infrastructure, whether on-premise or cloud, remains your responsibility. If you run cloud services, there is no security provided out of the box.
If you open Remote Desktop Services on Windows for example, there is nothing preventing that from being attacked. But before you consider tactics, the most important aspect to consider is your overarching security strategy – which, unfortunately, most organisations we engage with, simply don’t have.
Every organisation should have a three-year security roadmap in place as an imperative. Your cloud strategy should support this security plan. Again, start with questions: Can we maintain our levels of security? Can we plug recognised gaps effectively? Can we justify the costs? Does the business case still stack up, if we move this to cloud?
“What if I don’t have a security strategy?” I hear you ask. Simple answer – time to get one.
Use a cloud adoption framework
The 6 Rs ensure best practice with your migration: Rehost, Replatform, Refactor, Retire, Replace and Retain.
Considering each of your workloads and use cases in turn, the 6 Rs allow you to assess and plot each potential migration, ensuring they’re managed in the most cost-effective and business-appropriate way.
The first step, Rehost, for instance, is often called ‘Lift and Shift’. This fast, simple route to the cloud is favoured when a hard deadline looms, such as a data centre closure. However, it lifts and shifts everything including legacy issues. Whichever applications are not suitable for Rehost are then assessed under Replatform, and so on.
Overcoming cloud challenges
While the essential tools and techniques are the same in the cloud, they are deployed differently.
The easiest solution to this is to select a cloud-native provider whose platform has been created in the cloud or with the cloud in mind, rather than using a partner who has adapted their technology to fit cloud requirements.
Many cloud challenges are the flip side to a benefit. For example, you can spin up machines almost anywhere fast, creating high availability, improving resilience and putting servers much closer to customers. This also increases your attack surface massively.
Another challenge is visibility of how traffic flows through a virtual network. In a data centre you can physically plot cables or use different racks to denote private and public zones, whereas the virtual world is theoretical. Despite virtualisation being around for years, visualising a virtualised world is still a unique skill.
When you can fire up machines all over the world in a few clicks, the danger of Shadow IT increases rapidly. We recently heard from an organisation that receives a research grant from a big UK manufacturer. When there is a research project with a tight deadline, they purposefully go around IT, engaging a cloud provider to get things moving.
Shadow IT has increased exponentially, because it’s so easy to fire up a whole new IT infrastructure in the cloud. In bigger organisations, this is a growing problem and becoming very serious. How do you secure assets you don’t know about?
Questions for IT
Did we implement our cloud platform using a framework?
How are we doing asset management, monitoring and ensuring controls are consistent between our on-premise environments and the cloud?
Do we have a cloud strategy aligned to our security strategy?
Can you present it to the board?
Join us for a live Driving Clarity event where we discuss tech strategies, industry news and project hurdles. Places are limited to keep these events intimate and to give everyone round the table a chance to speak. Register your interest here to receive first notification of the next event.