Organizations are putting more workloads into public cloud, including business-critical applications. The worldwide public cloud services market is projected to grow at a compound annual rate of nearly 22%, reaching $277 billion by 2021, and 41% of enterprise workloads are expected to be running on public cloud platforms.
But what about the idea of an organization outsourcing all of its applications—together with the confidential data stored in them—to one or more cloud providers?
The mere suggestion of such a possibility may cause IT security and data protection experts to hyperventilate. Even now, 90% of cybersecurity professionals say they are concerned about cloud security, particularly data loss and leakage, threats to data privacy and breaches of confidentiality.
The reality is that a wholesale migration to the public cloud is not only feasible; it can be accomplished without sacrificing security. Moreover, switching to a cloud environment can mean a security improvement in some areas.
The key, as it is with any important IT initiative, is highly intensive preparation, with an acute awareness of the potential stumbling blocks. A successful cloud migration revolves around understanding two points:
- Which services is the company operating itself today, and in what form?
- How can these functions and applications be covered securely in a future cloud environment?
Answering these questions early in the process is vital to any cloud migration, whether you are moving specific workloads and applications, or completely giving up your own data center operations and moving everything to the cloud.
Negotiating the SLA
A critical step is negotiating the service level agreement (SLA) with the cloud provider. The SLA should guarantee availability (as confidentiality and integrity are mainly in focus of the company’s application setup). In fact, a cloud provider should be able to ensure a level of availability that is better than you would likely be able to achieve in your own data center.
Why better? Because it is almost impossible—from a cost perspective—for any individual company to operate at the same level as a highly specialized cloud infrastructure-as-a-service provider. The same goes for physical security, emergency power supply, fire extinguisher systems, monitoring cameras, fences, access control systems.
These components are typically state-of-the-art for cloud providers and are continuously being updated. Very few individual companies can afford this. The missing element is the scale effect from which a cloud provider benefits.
Another vital aspect of preparation is taking the proper inventory ahead of the cloud migration. In addition to IT infrastructure and security teams, it is necessary to involve the teams responsible for running individual applications, such as SAP or Microsoft Exchange. Their security needs should be combined with the requirements of the other IT teams.
Make sure your teams are not viewing key functions, such as data encryption, as a mere matter of course simply because they were treated that way in the company’s own data center. Proper coordination and planning across IT and security disciplines demand that every aspect of the migration feeds into the contractual documents with the cloud provider.
During this process, applications managers need to accept that they will have less control but, in return, greater reliability. By the same token, your teams need to build confidence in the provider’s management of updates and changes, with the knowledge that, if there is an issue, the previous operating status can be quickly recovered by installing a snapshot.
Time to recovery is another point that should be captured in the SLA, along with the nature and timing of the notification by the cloud provider, in terms of drawing attention to a potential problem and simultaneously offering a proposed solution.
Timing the Migration
Cloud providers typically commission external auditors once a year to carry out an accurate check of vulnerabilities. The results of these audits are relevant for the customer’s auditors. These reports are calibrated to the calendar year and are generally available in the winter. If your fiscal year ends in September, the report arrives too late.
For that reason, this is another point to consider in contract negotiations. If the report cycles do not fit with your reporting obligations, then interim reports are required. If these are requested after the contract has been concluded, you can incur costs running into six figures. Cloud providers that supply these audit reports on a quarterly basis are ideal. Otherwise, a compromise should be negotiated before signing the contract.
Deploying Security Technology
With public cloud environments, the concept of protection alters fundamentally. With on-premises infrastructure, IT might have tried to make data centers as secure as possible with proverbial walls and ditches. This approach is no longer feasible due to access from the outside via mobile endpoint devices by workers, partners, Internet of Things (IoT), etc. Cloud migration is the purest form of this change since practically all access comes from the outside.
Given that paradigm shift, the challenge is to move the security mechanisms closer to the applications. Instead of surrounding the whole network with one wall, there are many small walls around the SAP system, OLTP system, CRM, web server, e-commerce server, etc. Security efforts are focused on the points where the critical data is located. This is all the more relevant given the reality that endpoint devices cannot be armed for complete defense against malware infections.
Especially on cloud services (SaaS), take a close look at which parts of the service are really required and either deactivate or correctly configure these services to avoid having unknown backdoor access through “forgotten” service details.
Handling Incident Response
The handling of security incidents is critical. Clarification is needed as to how the provider will act in case of a successful attack by criminal hackers. If customer data worthy of protection is flowing to the outside for a number of hours due to the lack of capacity to intervene, that can lead to major problems, not the least of which is running afoul of the European Union’s General Data Protection Regulation (GDPR).
In this case, it may be better to purchase a self-administered firewall and run it in the cloud provider’s data center (usually as a virtual appliance). All data flows through this firewall to the applications concerned, including traffic from internal networks. If there is a successful attack, the cloud customer can immediately terminate dangerous data flow using this firewall, without a ticket and without any delay.
Since every cloud provider offers its own firewall systems, it is likely that only a few potential customers would have this requirement. However, many companies may find that control, monitoring and insights may be worth an additional expense. Similar insights into data flows can potentially be purchased via the cloud provider or a managed security services provider. These potential costs must be factored into the budget.
Doing What’s Right
Cybersecurity professionals are paid to worry about cybersecurity. So, naturally, they will be concerned about cloud security, now and into the future. As a business leader you should not let these concerns stop you from doing what you think is right for the business.
In fact, you should use their concerns to inspire and incentivize your teams to take the proper precautions and preparations in migrating applications to the cloud. Cybersecurity doesn’t have to be a roadblock to the cloud. In fact, when done properly, it can be an on-ramp.
Steffen Siguda is Corporate InfoSec Officer and Data Protection Officer at OSRAM Licht AG.