We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
Businesses are demanding increased levels of security and compliance when migrating their IT to the cloud. Despite widespread adoption of cloud services , the perception that it carries risk remains high among security professionals , with one of the most significant barriers to cloud implementation being the increased compliance and regulatory challenges that organisations face when choosing to move to cloud services or hosted solutions .
Let’s face it, at the outset the journey to cloud can seem daunting. Whatever stage a business is at in terms of cloud migration, securing the data and infrastructure that will be hosted there must be a top priority. What are the key stages of the journey to consider before entrusting parts of your infrastructure to a cloud provider?
1. Identify the cloud model that suits you best
There are broadly three models of cloud computing: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) .
The choice of model will influence not only how an organisation will use the cloud but also the specific security concerns you’ll need to address. For SaaS you need to especially ensure that the vendor you choose has built security you can trust into their offering. In the case of PaaS you will want to make sure that you can find compatible encryption that doesn’t degrade performance. With IaaS it may be that uncontrolled access is your biggest concern. Once you’ve fixed on the model that suits you try to ensure you’re not going to encounter any security “dealbreakers”.
2. Decide carefully which type of systems can be safely migrated to the cloud.
Decisions around which systems or applications will move to the cloud are usually informed firstly by compatibility and then by cost. Any systems that are already virtualised will be first in line because they represent the most flexible parts of the organisation’s architecture . Next, it’s important to weigh up the nature of any data that could be stored or accessed by these systems once in the cloud. Compliance requirements at this point could potentially make the migration more complex. The type of cloud deployment an organisation opts for will also impact directly on who is responsible for data. As illustrated here, as the more of your system is devolved to a cloud provider the greater responsibility they take for the running of it, including its security.
Before deciding to migrate its most sensitive data types, a company needs to evaluate how the current security skill measures will work in the cloud environment. It can be worthwhile creating a checklist to classify resources by the kinds of data they store or handle.
3. Ensure you know who is accessing your hosted systems and data
When an organisation takes on a cloud provider to supply the infrastructure, it needs to recognise that more people will be accessing the systems and data. In the case of a completely managed service, there should be a way to see who is accessing your service and what actions they’re taking. In the case of IaaS or PaaS then strongly consider investing in a way to control access for administration, not just for the cloud provider, but also for your own teams. Putting systems in the cloud could be a golden opportunity to begin to properly manage access for privileged users. Why not create an environment where only those who NEED access to systems get it when they need it? Where no local passwords are known or need to be changed? The better control and visibility you have of when resources are accessed, upgraded or altered, the more secure these systems will be. A cloud provider should be able to demonstrate what steps they take to ensure access management is effective not only for their admins but yours too.
4. Use encryption wherever and whenever you can
Traditionally encrypting cloud computers has ended up being a question of balance. How much of your performance can you bear to sacrifice to protect data on cloud-based systems?
There are now numerous methods for encrypting cloud data, from whole disk encryption to file based network encryption and even encryption gateways that can classify and secure data as it moves. Consider all of them. And don’t forget keeping remote desktop and admin sessions encrypted as well to prevent account hijacking . Your cloud provider’s capability in these areas will be a good indication to you of how seriously they take your data security.
5. There’s always the possibility something could go wrong. Monitor and record activity.
The ability to record and audit activity on cloud systems is important from two standpoints. Firstly, to ensure compliance and give you an audit trail in the event of a breach, but also to give you the kind of visibility you need to see how effective your cloud provider is. Identifying activity taken on a server before a problem arising, ensuring that service providers meet agreed SLAs and defined patching regimes or that work you expect to be undertaken has been successfully completed will undoubtedly give you peace of mind, especially if you can watch these activities in real time and even take action if you need to. Even better if all this valuable intelligence doesn’t cost you in terms of performance. Choose an agentless solution if possible to maintain or even boost system responsiveness.
The benefits of session recording for audit, compliance and breach prevention are well documented. But as cyber security insurance becomes increasingly commonplace, recording activities in this way could provide the vital proof if you need an insurance policy to pay out.
Ultimately, cloud security is a shared responsibility between the cloud service provider and the client. And understanding how that division of responsibility for security works will be key before beginning any migration. For example, knowing which security technologies you will be directly responsible for and whether these technologies can be services you consume from the cloud or solutions you bring to the cloud.
Last but not least, not all cloud service providers are created equal. Some cloud service providers started out focusing primarily on scalability, ease of use, accessibility, and bolted on security after the fact. Others started out with security built-in and pursued rigorous certifications and accreditations to prove it. Undertake due diligence and select a cloud service provider who is able to demonstrate to you that their cloud services are designed and managed in alignment with security best practices and industry standards.
