Cloud has opened up new possibilities and advantages for organisations. We know that cloud is delivering upon its promise and that many businesses are looking for further ways to leverage the flexibility, scalability and agility of cloud for business advantage. But as the potential for progress grows, so does the potential for risk and failure. How can we continue to stay one step ahead and deliver further results with cloud?
There is never a complete removal of risk, but following certain steps and empowering colleagues to make safe decisions can considerably improve your chances of avoiding a difficult situation.
Step 1 - A few basics
It’s important to approach the cloud environment with similar procedures to physical infrastructure. Anything on an operating system level in the cloud will be reflected in the physical server. They’ll have the same vulnerabilities and threats and people will always be looking to exploit those vulnerabilities.
Patching operating systems is often a first step for security professionals but many do not follow through with updating patches or systematic patch maintenance procedures. Make sure your patching protocol includes regularly reviewing new patches for your operating systems.
In addition to patch maintenance, anti-virus and anti-malware is required on each endpoint and pre-encryption is strongly recommended, in order to provide a last line of defence. In the case of a breach, data being rendered unreadable by attackers will avoid a catastrophic situation.
Step 2 - Combined solutions
A measure which is often employed to reduce critical risk is to use the public cloud for less critical functions; this helps to reduce costs and uses a small dedicated physical infrastructure for functions which necessitate a higher level of protection. Using a combination of cloud and physical infrastructure can be a real win; organisations can identify the strongest and most appropriate elements of each and apply them within their own solution.
With cloud there is an extra controlling layer, known as a ‘virtualised management layer’, so any service provider offering cloud should be offering a ‘hardened management layer’; preferably one which has security controls around it and is separately validated by a third party accreditation.
Step 3 - Public cloud
When utilising public cloud and some hybrid cloud solutions it is important to think about the level of vulnerability testing you would like to conduct. If there are shared elements which are multi-tenanted, there can be issues with penetration testing and vulnerability testing. Penetration testing shared elements is often out of the question because it is unlikely that your co-tenants will be happy for you to start bombarding firewalls - which they are using - with traffic or test attacks. This is something to consider with anything that is shared; it could potentially result in more superficial testing than would be the case with a dedicated hosting solution.
Something which CIOs need to consider when weighing up the strengths and weaknesses of their solution is that public cloud can sometimes be more vulnerable than dedicated hosting solutions. In the public cloud the security procedures of the weakest member of a shared solution can leave the whole of that cloud vulnerable to attack.
Terminology can sometimes vary between providers so it is also important to define what is being offered. With private cloud it is prudent to ask how they define this term, and which dedicated elements are available; with hybrid you should ask which elements are shared and which have dedicated controls. Standards like PCI dictate dedicated functions on separate servers with firewalls for particular high risk or mission critical services.
It is always important to ask the right questions of your provider and a good provider should be happy to engage in a dialogue and explain which of their services will be appropriate in order for you to be compliant.
Step 4 - Stay informed
Be keen and stay up to date with which algorithms have been cracked. Security is never stable; it’s an ongoing battle between attackers and security personnel.
Providers should have strong communications and information available in real time. They are often able to issue press releases and blogs to keep you updated – a good way to help maintain security. Dialogue and engagement between you and the cloud service provider is a good step towards maintaining best practice and staying ahead of threats.
Step 5 - Data sovereignty – where’s my data?
Data sovereignty is another important question. You need to be assured that your data is being hosted in a physical location where data protection laws are strong. You need to ask whether the data is going to be moved between nation states.
Often people don’t know where those cloud servers are – which doesn’t particularly affect us at UKFast – but for someone using, for example, software as a service, it’s very difficult to see where that particular data is held. If you are using software from an American company, say Office 365, you have to ask where that data resides and what the legal jurisdiction is on that data.
We see now that the EU is trying to exert more control over the big US based operators. It is important to be aware of the developing legislative landscape when looking into potential cloud solutions. Cloud is in its infancy and the EU Data Protection Directive in a year or two will reshape the landscape again. Even the USA is having discussions about more stringent data protection. All of this plays into the importance of the question: ‘Where’s my cloud?’
This is an evolving issue, and one which CIOs and information staff will need to monitor. The main thing which distinguishes cloud infrastructure concerns from physical concerns is being diligent over where your data is held.
Step 6 - Logging and monitoring
Monitor your environment for developing threats – this is a must. To secure an environment you need to be aware of what’s going on in it. Logging and monitoring is important for secured cloud solutions; you should have a picture of what your environment looks like. Firewalls should be fitted with intrusion detection as a minimum standard.
Logging and monitoring services which plug into your solution are offered by some providers and are a great tool in helping you to be proactive rather than reactive. Assess your prospective provider; what kind of tools can they offer?
Does the provider you’re looking at offer data loss prevention, which can scan areas of your solution to identify if critical data is getting where it should not be?If there’s an area of your solution which is not so well protected you will need to ensure that critical or high confidentiality data is not stored or transited through the weak spots.
There is always the risk that data can leak into areas without your knowledge; that’s why monitoring is so important. Understanding your data and how it moves will help you to spot when something is not as it should be. Obviously when data is at rest you should be encrypting it.
Increased visibility is a capability which good providers will support you with, helping you to spot potential threats before they become a catastrophic risk.
Step 7 - Physical measures
Physical security is also a concern, obviously. You need to be asking the right questions: is the site permanently manned? Has it got CCTV? Has it got perimeter fencing? Access controls? Admission policies? There might be a need for a compartmentalised data centre where your solution is housed in a separate area of the datacentre with an extra layer of access required. It might be prudent to check whether your cloud provider is vetting their staff properly.
Some of these controls are only necessary in the case of ultra-high end security requirement but they are available if needed.
Step 8 - Balance the risk and enjoy the benefits
It’s all a matter of risk assessment when it comes to weighing up a new solution. You have to balance the flexibility and scalability and all of the other fantastic benefits afforded by the cloud alongside the layers of management that the cloud can sometimes require. Can you manage the risk and the balance that with the reward?
About the author
Lawrence Jones is CEO of UK Fast and was awarded an MBE in the 2015 New Year's Honours List for Services to the Digital Economy. UK Fast recently appeared in the Sunday Times Profit Track 100 ranking with profits of £11m in 2014 on a turnover of £28.9m and its UKFast Campus in Manchester is home to over 200 employees and hosts a graduate programme and apprenticeship scheme.
His first business venture was, The Music Design Company a business dedicated to providing the North West with entertainment and event organizing. At its height the company had over 240 musicians on its books.