For those that have recently been keeping up with our Cloud Research and Innovation Series, you will by now be aware that many businesses across the globe are turning to cloud solutions. IaaS, SaaS and PaaS all have an increasingly large part to play in business IT strategy, and there are a whole host of benefits which are no longer an added convenience but a necessity for the modern 21st century worker. This is now becoming a realisation for most managers and CEO’s, who are battling against time… and competitors, to get cloud technology incorporated into their business infrastructure. However, as you will have found out from our series so far, there are a number of key considerations to make, in which security is frequently an afterthought in the rush to use all the convenient features that cloud technology provides.
Below, we will look at some of the key considerations’ businesses need to make when considering their cloud migration strategy.
Whose responsibility is it to implement cloud technology?
Cloud providers generally refer to a shared responsibility model when referring to security. The level of responsibility you hold will depend on the type of cloud platform you choose, whether that be Saas, PaaS, IaaS, on premises. The diagram below indicates who is responsible for each aspect in the different cloud models.
If you choose the on premises model, it is likely your IT team and Architecture (Shadow IT) teams will manage this. However, as seen in the diagrams above, the other three models have various levels of responsibility, and this is where we begin to see a shift in management away from the IT teams and towards other areas of the business. As cloud services begin to get provisioned across different departments, anybody with a budget can technically provision cloud services, meaning no longer do requests have to go via an IT team to spec hardware, ensure rack, cabling and power in the data centre, then actually provision the device. All of this can now be done with a credit card, which is good for agile and convenient provisioning, but bad if no thought is given to controlling the provisioning, or rather, controlling the data and the access to it.
This is something to keep in mind when considering which parties are involved in your cloud migration strategy.
What security features are available?
As cloud offerings have matured, so have the security features that are available alongside them. At the start of the journey to cloud, there were little or no security controls available outside of some pretty basic network controls. Security providers managed to fill the gap to some extent, and virtual Firewalls started to arrive in the marketplace for provisioning as part of the environment. However, early adopters faced some challenges, and whilst feature sets, aesthetics, and usability might be familiar from on premise appliances, cloud restrictions have slowed the development of some fundamentals. This leaves us asking questions such as - Could it be managed by on premise central management? Is Clustering an option? What about monitoring?
Jump forward a few years and we have many more security products to choose from, many of which have gone through an early cycle of acquisition and adoption by some of the bigger and more traditional security vendors. These vary from traditional controls which can now be extended to the cloud (for example multi-factor authentication and data loss prevention) or more specific security tools such as cloud discovery and Posture Management.
For more info on cloud security, our dedicated SNS team are able to help.
Choosing a cloud technology vendor
In today’s climate, there are a multitude of cloud vendors to choose from, however it can be easy to get carried away with all of the new and incredible features available with this sort of technology. Whilst adopting all of this new technology is great, it is important to consider integration with other systems and stakeholders, as well as your ability to virtually secure all of these new features. It’s important to be realistic here and consider whether you have the time, resources and the budget to integrate all of the new cloud features you were hoping to gain. Having a detailed migration strategy can again help with this.
Many cloud services are also able to provide their own security features, and depending on the vendor, these will offer varying levels of control and visibility. One of the advantages of this is that the security offerings have been developed alongside the cloud products so they will work in harmony together. However, one of the disadvantages is that a cloud vendor may have a completely different idea of what ‘good’ looks like, compared to a cyber security managed services and solution provider.
What are the main features of cloud technology I should look for?
All of these different tools come with the usual pains - cost, suitability, training and reporting; however, one area where cloud technology has improved dramatically is visibility. Generally speaking, any events worth noting from a security perspective are now made available in the form of monitoring or SIEM tools, either through traditional methods or through API’s developed in partnership with the SIEM vendors. This eases the headache of yet more tooling with little visibility provided outside of its own interface.
To summarise, cloud security shares a lot of similarities with on-premise security, and even though it’s digital, in terms of security, it should be thought about in the same way. One of the key takeaways from this post should be that whilst it can be easy for anyone in the business to acquire cloud technology, security considerations should be factored into your migration strategy first, no matter how small the change. In addition, it’s important to consider how any new cloud technology will sit alongside your current business structure. Most importantly, take the opportunity to unify tooling and don’t let your data escape!
For more info on adopting cloud technology, take a look at some of our previous posts in the cloud series, and keep an eye out for more to come throughout the next few weeks! And as always, our team can be contacted here if you have any further questions!