Insights
You’re going “cloud first.” Have you made sure it’s secure? by Andrew Gogarty, Chief Security Evangelist What does “cloud first” actually mean? A growing numbers of organisations are now exploiting the benefits of moving to the cloud and for many of these, this was accelerated to ensure business continuity as a result of the pandemic. But before we consider the implications on resilience and security, let’s break down what’s typically in scope when organisations are adopting a “cloud first” strategy. The NCSC has broken down cloud into three main areas: • Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Software as a Service (SaaS) For more detail about the associated risks of each of these areas, click here. To further simplify and consolidate things for the purpose of this article, lets break cloud into two distinctive areas: Workloads - Infrastructure moving to the cloud, e.g. servers, in-house applications, and databases (IaaS and PaaS) Applications - Cloud applications “as a service,” e.g. Salesforce, O365, and ServiceNow (SaaS) Both areas help with operational efficiencies, but the security fundamentals remain the same: you have data required to operate your organisation, and you have people/applications/services that require access to that data. 12
When moving to the cloud, security is still incumbent on the owners of the data in the cloud “Using the cloud securely should be your primary concern - not the underlying security of the public cloud...Instead, concentrate your security effort on making sure your data is secure. In our experience, data breaches in the cloud mostly come from the customer failing to protect their own data. Leaving your data insecure and hoping no-one will find it is like leaving the car unlocked and hoping no-one will steal it.” Source: The National Cyber Security Centre (www.ncsc.gov.uk) As with securing on-premise environments, to ensure effective resilience against cyber attacks, you need visibility and control over the security of data and the access to that data. According to a recent report by Gartner, it is estimated that through to 2023, at least 99% of cloud security failures will be the customer’s fault. The report goes onto the outline two of the main causes of cloud security breaches: Misconfiguration: “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet.” Access: “75% of security failures will result from inadequate management of identities, access, and privileges.” A key driver fuelling these causes is ultimately a lack of visibility of cloud usage within organSECON CYBER
