The cloud. Soft. Cushiony. Far up in the sky. The cloud beckons us to store, manage and secure our data and applications, freeing us to go on with our work with peace of mind. As a businessperson, I know how comforting the cloud can be, but as an information security professional, I know that a cloud can still produce a storm, and that migrating to the cloud doesn’t necessarily mean the end of thinking about security.
According to a 2018 cloud computing study by IDG, about three-quarters of surveyed organizations had at least some cloud presence. Most use about a 50/50 mix of cloud services and local infrastructure, but the trend is skewing rapidly toward cloud — with many looking to eventually transition their systems entirely. So, why this massive stampede to the cloud?
Despite rapid miniaturization and advances in computer processing, data centers and server farms take up a large proportion of corporate real estate, personnel and expenditures. IT departments require dedicated spaces, controlled climates, loads of power, constant monitoring, frequent refits, maintenance and a highly trained support staff. In addition, the rise in both the frequency and sophistication of hacking threats has made information security an expensive but compulsory activity requiring expert professionals.
The emergence of high-speed, high-bandwidth, reliable telecommunications over the past decade, however, has made the cloud a reality, allowing organizations to deal with their computing needs as outsourced services, including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS). The “as a service” model is growing and extending to ever more specific disciplines.
The advantage of cloud computing to a business, particularly a smaller one, is that the administration and management of computing resources — including the specialized area of information security — is put in the hands of experts. This classic division of labor allows everyone to increase productivity in their specialties.
But, as always, there is no free lunch. There are trade-offs that must be considered and well understood, especially when considering migration from a data center to a cloud. Some of these trade-offs center around the critical matter of security.
Cross-Platform Cloud Security
The cloud is not a mystical, ephemeral land in another dimension. It’s composed of hardware, software and people, just as it would be if it were on an organization’s own campus. It is thus subject to the same threats and vulnerabilities as any other system. Breaches can and do happen in the cloud.
However, I believe that the real challenge lies in managing security within a hybrid cloud/local scheme as well as across multiple clouds. If not approached properly, having this mixed arrangement can actually lead to a weakened security posture. In order to operate efficiently, cloud service providers rely on the dynamic sharing of computing resources. This is one of the aspects of cloud computing that makes it so cost effective compared to running one’s own data center, but it complicates security across domains.
Security policies are still catching up with the new paradigm of having data and applications spread among multiple platforms. One of the cardinal tenets of information security is the principle of segmentation, which is violated by the very nature of cloud computing. Not all clouds universally support the same tools, and conversely, not all tools work seamlessly across clouds or between the clouds and local systems. The upshot of all this is that migration from a local platform to a cloud requires careful planning and a coherent strategy.
Taking The Plunge
There are a few steps that should be taken prior to initiating migration to the cloud that go a long way to saving some security headaches down the road. Even if the migration is being managed by an outside party, it’s good to have these considerations in mind before and during the process.
1. Get an assessment, preferably an outside view, of your current information security posture as it stands with your current infrastructure. There are professional cybersecurity companies that specialize in doing this. If there are any standing vulnerabilities, you want them addressed prior to migration so you have a solid baseline posture from which to begin. – Read more