Around October, I had the privilege of speaking at five conferences/webinars on cloud and infrastructure security as part of cybersecurity awareness month, including one as part of the Financial Times Digital Dialogues Series. These are no doubt a reflection of how far the industry has moved in terms of leveraging the public cloud for enterprise assets and resources. The COVID-19 pandemic removed barriers to cloud adoption and accelerated activities, including for highly regulated industries with large on-prem/private cloud infrastructure. In response to a public health crisis and organizations needed to pivot quickly to keep everyone safe, whilst maintaining corporate operations.
As public cloud vendors are designed to provide resources to multiple organizations, they can implement more extensive infrastructure and resources to support a distributed workforce, as opposed to a hub and spoke model traditionally seen in large enterprises. The business and operational requirements accelerated investment cases and approvals for most organizations to move assets into the public cloud. Due to the speed of the pandemic, careful planning to leverage the power of the cloud and the full suite of tools it offers was not possible for many and a ‘lift and shift’ approach was deployed. This often-resulted in inefficient use of cloud resources and security controls, with some organizations retrospectively trying to refactor and re-engineer their assets and resources to optimize cloud and security controls. It is no coincidence that the market has seen demand for individuals with cloud and cloud security skills skyrocket, which is also reflected in the number of conversations at conferences.
As early adopters, from the likes of retailers and start-ups would tell you, the cloud is incredibly responsive to changes and demand for resources. Whilst early conversations for the cloud centered around cost reductions, the pandemic has highlighted core cloud values, which are flexibility and agility to change, in addition to more granular security controls for distributed workforces. The pandemic focused the Boards’ minds on how quickly things can change and how being able to respond to change able environments will be critical for an organization’s long-term presence in the market.
One of the often-cited concerns around public cloud assets involve cybersecurity and system controls on public clouds which are multi-tenanted in nature. In fact, even for highly classified information from government organizations, the use of multi-tenanted infrastructure and systems has occurred for a decade. In 2012, I was one the network engineers onsite to deploy new infrastructure and platforms for UK Cloud which provide cloud services to the UK Government. Indeed, the UK government has been pushing for a cloud first policy internally and has published guidance online:
https://www.gov.uk/guidance/government-cloud-first-policy
Ultimately, it’s about trust, specifically, whom you trust, based on the assumption of a clear delineation between internal assets and systems. Historically, organizations trust internal assets and systems more. However, even for private clouds, the line between internal and third-party can be blurred. This is especially true for specialists or operational staff, where even the largest enterprises leverage outsourced, or third-party specialists and large in-house operational management teams are becoming the exception rather than the norm.
Regardless of whether you have a physical data center or leveraging public cloud services, technical controls, including centralized access control and network segmentation, should be used in combination with mature governance for people and processes. The public cloud is simply a data center someone else owns, the type of security controls and best practices are the same.
Organizations which experienced the greatest impacts post system breach often involved relatively poor security posture, as opposed to whether assets reside in a private cloud or public cloud. Indeed, as public clouds are multi-tenanted systems, operational controls are granular, which is supported by modern infrastructure. Education helped to allay concerns, including those surrounding security. And business and operational necessity as we seen in the pandemic, accelerated public cloud adoption for many organizations.
Public cloud comes in a variety of ‘flavors’, all of which have the acronym ‘as-a-Service’, with a prefix, ‘infrastructure’, ‘platform’ and ‘software’, that is dependent on system management responsibilities of the assets. For every ‘flavor’, access control is a shared responsibility between the cloud vendor and end-user organization. Just as the public cloud is not inherently insecure, having assets on the public cloud does not absolve an organization from ensuring information and assets are appropriately protected. As a senior security advisor and fellow panelist for a large multi-national stated at the Financial Times webinar, ‘you can’t outsource your reputation!’.