- Security TWENTY
- Women in Security Awards
With the benefits increasingly understood, we are seeing more businesses moving to a ‘cloud first’ strategy, writes Dave Nicholson, pictured, Technical Sales Consultant at IT firm Axial Systems.
As they make the move, however, they must keep data and network security top of mind. Early in the process, they will need to choose a third-party provider partner, whose terms and conditions align with their own business strategy; which understands issues around data sovereignty and who is liable when something goes wrong.
Businesses need to ensure that data transitioned to their provider’s care is encrypted the moment it lands. They must also decide what data they want to move into the cloud. That’s why we are seeing the hybrid cloud model becoming the de facto solution for businesses, who see the benefit of retaining more sensitive customer data within local resources.
One of the big issues for any organisation running hybrid cloud is: do they have a security policy that works seamlessly across on-premise and cloud. If somebody wants to access the business’ on-premise data they go through a gateway: often, a VPN. However, if an employee tries to access data in the cloud, the business will likely lose control over that process. Many cloud services will come with user name/password authentication out-of-the-box and that may bring further risk. The challenge for the business is to manage and mitigate that risk in the same way as it would its on-premise service risks. After all, cloud data belongs to the business not the cloud service provider, and the business is ultimately responsible for protecting it.
This concern plays into wider issues organisations have around visibility. Organisations can set up a virtual private cloud (VPC) but if they want to know exactly how all their applications, databases and web front-ends are interacting, that will require an additional technology layer that allows them to mitigate risk.
A key part of this is to increase the authentication level devices require before they are given access to data stored on the public cloud. Businesses can, for example, deploy an authentication portal or an access broker, which means that if a user wants to access data in the cloud, they must authenticate via the business’ own domain. This critical touch point enables the organisation to establish control over who can gain access to its private data and from what devices.
Once again, visibility is key and in line with that many of the leading security vendors are bringing out virtualised versions of their firewalls, capable of sitting in the cloud infrastructure. Why is that so important? Well, if, to take an example, a business has its own data centre and in-house security and policies in place, they effectively have visibility over their data and also a sense of control. However, if the same business then moves some data to the cloud then they no longer know for sure precisely which data centre it is stored in, which rack it is kept on, or which server connected to.
A VPC offers one potential route forward. But if a business could instead simply take the same firewall it is using in its data centre, virtualise it and put it in the cloud, it has effectively widened its security out of its data centre – from the physical into the virtual world – and that security will be consistent across the different environments.
Such an approach gives businesses an extra layer of security on top of what the cloud service provider is already delivering. It also means that when the business looks at its overall security estate, it effectively does not matter whether the firewall it is deploying and the rule set it is generating applies to a physical data centre or a virtual one in the cloud. There is a single management platform; a consistent consolidated view and the business knows at a glance exactly how many policy violations it has had.
More and more companies are adopting this kind of approach – and increasingly they are even moving further down the line into the world of containerisation, micro-segmentation and micro-services, to develop smaller security platforms which no longer require an in-built operating system but still retain the same consistent policy engine.
So, in summary, we are seeing a growing number of businesses moving to the cloud and implementing a cloud-first approach – but they still must not neglect the security challenges.
Before businesses move to the cloud, they need to find a provider they can trust; define which services and applications to migrate and then put an effective security policy in place. Across this process, they need to find some form of access broker and an adaptive authentication mechanism that delivers optimum control. And they also need to consider putting in place a virtual firewall as an additional security layer. Do all that and they will have gone a long way towards achieving a fully secure approach to data access and be better placed to reap the rewards that moving to cloud services can bring.