Navigating the security challenges of a cloud first approach

null

With the benefits of the approach, from greater scalability to enhanced collaboration, increasingly understood, we are seeing growing numbers of businesses implementing a ‘cloud first’ strategy, focused on using cloud services whenever and wherever they can.

As they make the move, however, organisations should keep data and network security top of mind. Early in the process, they will need to choose a third-party cloud services provider partner, ideally one whose terms and conditions align with their own needs and business strategy. They will also need to understand issues around data sovereignty; what sort of compensation will be paid if security measures fall short and, critically, who is liable when something goes wrong?

The very act of moving data to the cloud brings inherent security concerns. Businesses need to make certain that any data transitioned to the care of their provider is encrypted the moment it lands. Best practice is for the business to encrypt data itself as it leaves the building. This ensures there are two layers of encryption – so that if one is compromised, the other remains encrypted.

Businesses must also decide what data they want to move into the cloud and what’s retained in-house. That’s why we are seeing the hybrid cloud model becoming the de facto solution for businesses who see the benefit of retaining more sensitive customer data within local resources.

One of the big issues for any organisation running hybrid cloud is: do they have a security policy that works seamlessly across on-premise and cloud. If somebody wants to access the business’ on-premise data they go through a gateway – often, a VPN. However, if an employee tries to access data in the cloud, the business is unlikely to have any control over that. That’s because there is typically a standard way of accessing cloud services that is not necessarily aligned with the organisation’s standard security policies.   

Many cloud services will come with username/password authentication out-of-the-box and that may bring further risk. The challenge for the business is to manage and mitigate that risk in the same way as it would its on-premise service risks. After all, cloud data belongs to the business –  not the cloud service provider – and the business is ultimately responsible for protecting it.

This concern over having a seamless approach to on-premise and cloud plays into wider issues organisations have around visibility. Many businesses remain concerned that when they transition data into the care of a third-party cloud service provider, they cannot see what is happening to it.

Organisations can set up a virtual private cloud (VPC), but if they want to know exactly how all their applications, databases and web front-ends are interacting, they need true visibility – and that will require an additional technology layer. 

Finding a solution

So, what are the right solutions to put in place to overcome such challenges? While educating employees remains key, businesses also need to find the technological solutions that allow them to mitigate risk.

A key part of this is to increase the authentication level devices require before they are given access to data stored on the public cloud. Businesses can, for example, deploy an authentication portal or an access broker, which means that if a user wants to access data in the cloud, they must authenticate via the business’ own domain. This critical touch point enables the organisation to establish control over who can gain access to its private data and from what devices. By enabling this feature, the business can further mitigate risk by making the authentication mechanism adaptive depending on who the user is; where they are; what data they want to access and what devices they are using to gain access to it.

Once again, visibility is key, and in line with that many of the leading security vendors are bringing out virtualised versions of their firewalls, capable of sitting in the cloud infrastructure. Why is that so important? Well, if, to take an example, a business has its own data centre and in-house security and policies in place, they effectively have visibility over their data and also a sense of control. However, if the same business then moves some data to the cloud then they no longer know for sure which data centre it is stored in, which rack it is kept on or which server it’s connected to.

A VPC offers one potential route forward. But if a business could instead simply take the same firewall it is using in its data centre, virtualise it and put it in the cloud, it has effectively widened its security out of its data centre – from the physical into the virtual world. Crucially too, the security is consistent across the different environments.

Such an approach gives businesses an extra layer of security on top of what the cloud service provider is already delivering. It also means that when the business looks at its overall security estate, it doesn’t matter whether the firewall it is deploying and the rule set it is generating applies to a physical data centre or a virtual one in the cloud. There is a single management platform; a consistent, consolidated view and the business knows at a glance exactly how many policy violations it has had.

More and more companies today are adopting this kind of approach. Increasingly, they are even moving further down the line into the world of containerisation, micro-segmentation and micro-services, to develop smaller security platforms which no longer require an in-built operating system but still retain the same consistent policy engine.

Future prospects

So, in summary, we are seeing a growing number of businesses moving to the cloud and implementing a cloud-first approach – but they still must not neglect the security challenges. 

Before businesses move to the cloud, they need to find a provider they can trust, define which services and applications to migrate and then put an effective security policy in place. Across this process, they need to find some form of access broker and an adaptive authentication mechanism that delivers optimum control. They also need to consider putting in place a virtual firewall as an additional security layer. Do all that and they will have gone a long way towards achieving a fully-secure approach to data access and be better placed to reap the rewards that moving to cloud services can bring.

Dave Nicholson, Technical Sales Consultant, Axial Systems
Image Credit: TZIDO SUN / Shutterstock