1 year ago


life in the cloud Morey

life in the cloud Morey Haber, BeyondTrust: think of the positives and negatives, because your cloud implementation will probably have both. James Wickes, Cloudview: key benefits are instant access from any location, greater scalability and increased storage. rules around data breaches, including a requirement for internal documentation for their management and a need to inform all individuals affected by a breach in certain circumstances. "A well-implemented cloud system caters for record-keeping, access permissions management, content redacting, recording schedule management and audit trailing to a degree that simply isn't possible in a system based on many devices, in many locations, and allows this kind of management to be achieved remotely," Wickes points out. Not all cloud providers offer all these facilities, though, so organisations must ensure their provider itself is compliant with the forthcoming legislation. They should also bear in mind that many cloud providers have clauses that allow them to share data with third parties - clearly inappropriate for personal data. Meanwhile, the notion that the cloud is not secure is "a fallacy", he insists. "Cloud or otherwise, anything connected to the internet is prone to a cyber attack. It is only not secure for people who have no idea about security in the first place. Organisations wanting to use the cloud need to maintain high standards of cyber hygiene, which hopefully they already have in place. This means embedding security into every technology used, and creating a culture of security through policies and ongoing education." Security should be seen as an advantage, not a disadvantage, to the cloud, Wickes argues. "Most cloud-based systems have been designed to only allow access by authorised users; data is most often encrypted and, as with most cloud-based systems, considerable measures have been taken to prevent unauthorised access or hacking. Cloudview, for example, securely consolidates visual data from all CCTV systems - both analogue and digital - into encrypted data on a secure cloud server. It has been designed to only allow access by authorised users and considerable measures have been taken to prevent unauthorised access or hacking. Data is protected using encrypted bank-level security and regular firmware updates." HOME COMFORTS One of the positives of cloud is that the costs of public cloud services are continuing to fall, says Drew Markham, service strategist, Fordway. "You can now buy a server/instance for only a few pounds per month. However, all is not what it initially seems and there is much more to running a service/application than server capacity. Buying public cloud is like buying the shell of a house - you can live in it, but need to add utilities, flooring and furniture to make it a home. Your house is also part of a massive virtual complex, so you are in effect sharing some of the facilities with other residents. The security provided by the operators is just for the complex, so you will have to provide your own front door locks to prevent undesirables wandering in." He offers as an example a simple application that runs 9 to 5. Eight hours of computer time can look significantly cheaper than fully loaded internal costs. However, running that application requires additional systems such as login/authentication, firewall etc. These need to be powered up beforehand, so 9-5 quickly becomes 7-9 or longer. "Then add multiple interactive systems, increasing complexity and cost. Shutting down and restarting these systems has to be sequenced, and some employees will want access outside core hours, so you will quickly find yourself requiring 24x7 running. Your costs are now three times the headline price and you still need to add monitoring and management. When you factor in the cost of migration, the sunk costs of a computer room (unless your equipment is near end-of-life), a disaster recovery solution and staff who know the systems, what was 26 computing security May/June 2018 @CSMagAndAwards

life in the cloud initially an easy cost justification becomes much more expensive." This does not mean public cloud is necessarily more expensive or a bad choice, he is quick to add - simply that you need to factor in all the potential costs. "First, baseline your existing IT provision against business requirements, in order to categorise and prioritise the systems you require. Then design those services and plan a migration timeline before going to market. Most suppliers have different cost models, but, by using this definitive blueprint, you can make a realistic comparison between the various options." It is also important to consider service delivery, adds Markham. "You could accidentally increase costs, if you select a cloud platform or supplier that does not have the same risk and value framework as your organisation in their processes and operations. Flexibility is key." HOME COMFORTS The technology rate of change, and the complexity of different cloud technologies and operations, creates inconsistency and gaps in security configuration, settings, completeness of tools and the level of automation achieved. "This increases the probability for exposing (known) vulnerabilities, incomplete visibility and human errors that by themselves or together increase the likelihood of intrusion and compromised information," states Rob Koeten, chief software architect, Pulse Secure. "This is exacerbated when dealing with ephemeral peak-demand scale-out deployments that temporarily present significant exposure." Advances in container based microsegmentation, automated continuous delivery, source-code defined configuration and policies, granular access authorisation and data encryption, while not (yet) perfect, now provide the key capabilities for improved cloud security, he advises. "Micro-segmentation enables granular access management, as well as limits exposure in so-called east-west traffic. Most cloud providers now provide integrated hardware key management solutions, with back-end integration to their persistence services for data encryption in motion and at rest. This not only secures the production copies of the data, but all versions, analytics or back-up replicas as well." With the increasing adoption of virtualisation, cloud and micro-service technologies in the software-defined defined data centres, it is unclear that the cloud infrastructure providers are actually worse off, Koeten adds. "One can easily argue that with likely larger, often more focused staff, the cloud providers in the long run are better equipped to address specific security needs. In addition, cost constraints force cloud operators to fully automate, support self-service and drive compliance, in order to satisfy their tenants' needs. Couple that with overall increased connectivity and collaboration of a greater variety of customers, employee and partner user-community, trusted and untrusted devices and IoT devices. Their various forms of secure access to services in both data centres and cloud infrastructure surely seem to create a more level playing field. And, from a competitive perspective, enterprises may not have much of a choice but to adopt such multi-cloud strategy." The cloud services' agility, flexibility and OpEx cost model outweigh the risks, he states, especially when it comes to commoditised or non-differentiating services (eg, email services, collaboration services, contents management services, sales & HR management services etc.). "Emerging secure access orchestration solutions that holistically manage the overall multi-cloud environment will provide the necessary policy and control consistency, in the cloud as well as in the traditional and cloudified data centres." Mike Ahmadi, DigiCert: optimistic that we can overcome the drawbacks of cloud computing. Rob Koeten, Pulse Secure: microsegmentation enables granular access management, as well as limits exposure in so-called east-west traffic. @CSMagAndAwards May/June 2018 computing security 27