Aidan Donnelly follows the ever-growing adoption of the cloud – and its security implications for businesses large and small.
One of the key tenets of technology is that it allows us to do things ‘Faster – Better – Cheaper’ than we have done in the past. We are in the midst of many large secular trends that are changing the landscape in more ways than we can imagine.
Terms like the cloud and big data are fundamental elements in a wave of technological change that can best be summed up by: store it, secure it, analyse it, access it. These trends bring new dimensions in the form of ubiquitous access and applicability.
The benefits of cloud computing, particularly for smaller companies with limited budgets, are significant, particularly when compared to the traditional data centre model. This ‘old world’ approach provided a model in which a single computer application required a fixed set of hardware resources to support it, including a server, fixed network access, and storage.
Given technological constraints, the environment was rather inflexible, as running multiple applications on a single server created insurmountable complications due primarily to resource allocation issues.
As such, an entire server was generally devoted to a single application – which proved to be an expensive proposition, especially after considering the high levels of underutilisation that typically occurred.
Then some smart person looked to the heavens and found the answer! Cloud computing has many widely debated meanings but at its core is the concept of gathering computing resources (servers, storage, applications) into a shared pool and delivering these resources or application functionalities as a service either within, or from outside the organisation, on a per use basis.
WEATHER FORECAST: CLOUD COVER TO INCREASE DRAMATICALLY
Opinions on the proliferation of the cloud fall into two main camps – the first is that everything moves to the cloud very quickly, while the second view believes that the transition is more gradual and ultimately not everything moves, resulting in a hybrid model forming. Given the large infrastructure footprint already in place, the latter point of view is more likely to be the actual result.
No matter the size of your company, nor where its applications and data reside, the most important issue will be the integrity and safety of your computer network. Therefore security is vital to cloud adoption, as information is migrated off-premise, and enterprises must address new concerns about data safety.
DON’T WORRY, BE HAPPY!
Perhaps the biggest concern is the loss of visibility, or more importantly control with respect to corporate security policies.
When data is migrated to the cloud, particularly the public cloud, enterprises have limited visibility or flexibility to adapt the cloud service provider’s security controls.
The most important issue will be integrity and safety
These internal company concerns are further exacerbated by external regulations as the use of cloud services may complicate the ability to comply with an increasing number of information security standards enforced by governments and industry mandates, such as the EU Data Protection Directive or the Payment Card Industry (PCI) Data Security Standard.
Data sovereignty is also a major issue because when data moves to the cloud, the company may be in one place – but the IT department may not control where data is stored in the world and which countries it may go through to get there.
While these areas relate more to issues of policy, there are practical concerns to be dealt with on a daily basis.
With the proliferation of devices and the increased mobility that comes with these devices, many companies worry that devices outside the corporate firewall can access enterprise cloud services and put private data at risk.
PROTECTING THE TOTALITY
While protecting the cloud in isolation is by no means a simple task, the changing technological landscape is making the situation even more complex.
As larger enterprises adopt the cloud, they are shifting from on-premise data centres to a hybrid cloud model, requiring IT departments to protect both on-premise networks and workloads as well as what lives in the cloud and the pathways connecting both domains.
In the early days of the cloud, security was a major reason for companies to defer their decision to move to the brave new world.
As time has gone by, the big cloud companies like Google, Amazon Web Services (AWS) and Microsoft have done a great job of securing their environments or at least making everyone believe they are more secure. Today there is a perception that the cloud is actually more secure than on-premise data centres.
SAFE, LIKE A WARM BLANKET!
It is a fair question to ask what has been driving this change in perception. The obvious answer is that the large cloud vendors know that security is a key proof of concept for the cloud and have much more resources they can dedicate to security.
They are analysing and updating their environment in real time and investing/developing new technology to combat a multitude of threats.
Every week we hear stories of how successful hackers have been
There is a natural trickle-down process in the model, as many of the smaller cloud companies run on the large cloud providers and thus can leverage their huge investments in security.
For smaller organisations there is the added peace of mind in knowing that the security software protecting your system is the most up to date version.
Internal IT solutions often require dedicated resources and can take longer to implement security patches than the cloud providers. Time is of the essence in cybersecurity and the cloud providers should be able to react faster than most IT organisations.
BIGGER… NOT ALWAYS BETTER
If the large service providers are the best resourced and best equipped, then why is there any hesitation in transferring everything to them? The fact is that they are the best equipped because they need to be.
From the viewpoint of the hacker or criminal organisation, cloud vendors – especially the large ones – are much larger and juicier targets than the average company. Think of the spectrum of information a hacker could get by hacking into AWS, Microsoft or Google.
And the threat is not just from external forces. When it comes to the large vendors the service offering is not confined to simply storing data.
Most players are infrastructure-as-a-service or platform-as-a-service vendors whereby they host millions of applications they did not develop and have no control over. Clients are loading up software to these cloud providers – who knows whether that software has already been compromised, and even whether a client could be a hacker?
For any organisation, the need to protect their data even if it is secured at a cloud hosting provider remains.
WHAT IF?
But what happens when there is a major cloud breach? Every week we hear stories of how successful hackers have been – you have to figure it is just a matter of time before one of the major vendors is impacted. Although not the result of a security breach, we recently saw the impact when something malfunctions in the cloud.
Amazon Simple Storage Service (S3) is storage for the internet and is used by more than 120,000 domains across the world such as Quora, Giphy, Instagram, IMDb, American Airlines, Imgur and Slack.
At the beginning of March it experienced a service disruption – in some cases entire sites went offline, and in others it was just parts of the service. A number of smart home devices that rely on S3 for parts of their functionality also experienced problems – that’s why the heating didn’t come on!
The cloud may well be the brave new world but as adoption rates increase, organisations will want to make sure that they experience the sunshine behind it rather than a deluge of rain!
About the author: Aidan Donnelly is head of Equities at Davy Private Clients. Views expressed in this article reflect the personal views of the author and not necessarily those of Davy. Follow him on Twitter @aidandonnelly1. J&E Davy, trading as Davy, is regulated by the Central Bank of Ireland.