The five stages of cloud (security)

By David Emm, Principal Security Researcher, Kaspersky Lab.

  • Tuesday, 22nd May 2018 Posted 6 years ago in by Phil Alsop
Whether a conscious decision, natural occurrence or key part of your IT strategy, embracing the cloud at some level for mission-critical services or infrastructure needs has become the norm for all businesses today, as they look to lower the total cost of IT ownership and improve efficiencies.

 

Large-scale adoption and immersion in cloud computing has increased significantly over the past few years – from email platforms through to HR and CRM services – as the benefits and understanding of what the cloud offers has been proven.

 

Security has been a key consideration at each stage of the cloud adoption cycle, as IT provision has moved from on-premise to outside a company’s walls. Equally, faced with simultaneously using private and public cloud along with on-premise providers, companies need to understand what entity is responsible for protecting which data asset.

 

To truly understand the cloud security journey and where we are now (and what’s next), we need to take ourselves back to a time when servers, software and most business operations sat in a building, and ownership and maintenance was someone’s responsibility.

 

Stage one: ‘Check out the size of my server’

With a server room on-site, the ability to ‘see and touch’ IT provision gave businesses peace of mind that their IT was safe. They had complete control and ultimate responsibility, making security straightforward and something that could often be achieved with basic cybersecurity software and robust policies.

 

But as demand on networks and bandwidth grew, and storage capacity reached breaking point, physical space to accommodate a company’s IT needs and the associated costs fast became a barrier to IT ownership. Cloud was the next natural step to lighten the load, but was often implemented to the detriment of security.

 

Stage two: Growing up and out

Instead of holding everything in, the growth in cloud technologies allowed companies to easily expand their IT provision and keep up with the demands placed on their infrastructure by customers and the business.

 

But despite the promises, the advent of cloud was greeted with mixed emotion. The IT team became the driving force behind cloud as a way to meet efficiency and performance KPIs. But for IT security, a new element of risk was starting to creep in. Driven by business leaders wanting to achieve better performance and flexibility, cloud was fast becoming the way forward – but the security surrounding it was often an afterthought, with no strategic or joined-up approach. Spam, ransomware and data theft are just as big a problem in the cloud as they are on premise – and out of sight shouldn’t mean out of mind.

 

Stage three: IT fights back

With the IT department feeling empowered, concerns were raised over the security of cloud services and the viability and visibility of off-premise solutions. However, the IT security team often lost the debate, with the board and business directors dictating the case for cloud adoption. Security was often overlooked in favor of business gain.

 

But, for all of the benefits that cloud adoption gave a company, it was also fast becoming a cybercriminal playground, and a haven for lucrative information and personal details. For many companies, in moving infrastructure to the cloud, they assumed that their provider would take responsibility for its security. So security was pushed down the priority list.

 

However, this is not always the best strategy, as users of Amazon Web Services would testify. Misconfigured S3 cloud storage buckets left sensitive data unsecured and exposed, affecting numerous companies including Accenture, the US military, and the Australian Broadcasting Corporation (ABC), who have all experienced data leaks as a result. No matter what level of cloud services were being used, it quickly became clear that companies needed to take all means possible to secure their own data.     

 

Stage four: The C-suite pulls rank

Despite concerns, the C-suite’s desire for efficiencies are now seeing companies increasingly rely on cloud. Indeed, Kaspersky Lab’s own research has found that when it comes to software as a service, 78%[1] of SMBs and enterprises are already making use of at least one form of cloud service with three quarters (75%) planning to move more applications to the cloud in the future.  Infrastructure is no different. With a quarter of companies (25%) already taking a hybrid approach and 24% planning to do so in the next 12 months, the issue surrounding the security of a sprawling IT infrastructure should not be to the detriment of the benefits it offers.

 

Stage five: A new approach

With cloud computing now an accepted norm, its continued adoption is undeniable and unstoppable. But security needs a different approach. One that can secure even the most complex infrastructure and any cloud configuration. The nature of hybrid cloud adoption means that there isn’t a one-size-fits-all security fix, as there perhaps once was with on-premise provision.

 

Any solution needs to be flexible, manageable and performance-led, so as not to undermine the benefits of cloud.  No matter whether you take a hybrid, hosted or private cloud approach, having visibility of what services and data reside where is the first fundamental step in protecting your business. Once determined, each part of the cloud infrastructure must have its own set of security measures and technology – to protect your business from cyber-threats, just as you would protect any data and devices within the company walls.

 

Cyber-threats will continue to evolve and target data, no matter where it is stored. Only by deploying security technology that uses a mix of machine learning and up-to-date threat intelligence can an organisation ensure the best protection for its chosen network environment and data.