Since a few years, cloud computing has invaded and impacted our professional habits. Our needs in this matter increased on a rapid pace every day, particularly since 2020 with the widespread shift to remote work, the “home office” move we all know. In this context, the question of security has also become every day a bit more important as there is not a day passing without a news feed reporting a security breach.
In this article, Sébastien Obry, SME Cloud and Security at Ivy Partners, explores key security considerations in the field of cloud computing and shares insights to help you navigate these challenges effectively.
First Things First: Understanding the Basics
What is cloud computing?
We all have an idea about it, but do we truly understand what it really covers? Without being overly formal or obsequious, here is what can be retained from standardization organizations such as ISO, NIST and CSA, as well from major industry players:
It is first about using resources or services through network access. It is “on-demand” or “self-service”, and it scalable and elastic. It is measured, both in terms of performance and financial aspects.
What is security, particularly what is security in the context of the cloud?
First, when we talk about security, what are we talking about? Well, in simple terms, it means protecting a company’s assets, which includes data, but also infrastructures (physical or virtualized), intellectual property, or even physical access to buildings for instance. Any security standardization organization agree on the CIA triad:
When discussing cloud computing security, it involves all the measures needed to secure your cloud-based assets. In particular, the access to your data, and all your virtualized solutions. Examples include, however non-exhaustive, data classification and data encryption, at any stage (data at rest, in transit and in use), access controls, best practices implementation, security-by-design, governance, risk management, defining asset life cycles, monitoring, auditing, legal compliance, contractual awareness and cloud vendor management.
What are the challenges of cloud computing and cloud computing security?
Far above any other challenge, data security remains the primary concern in cloud computing. This is why data encryption is so important, even for efficiently deleting data, as encryption is the only reliable way for secure deletion of data in the cloud. Nevertheless, data encryption at any stage requires a reliable capacity to encrypt/decrypt, which may involve some significant investments (at least, this is not where you should spare money).
Regulations and compliance play also a vital role when considering cloud infrastructures. Laws are different in every jurisdictional area of the world, offering opportunities and imposing a lot of duties and rights. Data protection laws such as RGPD in EU, or the LPD and cantonal laws in Switzerland are examples, but there are many others to consider.
Multi-tenants is a concept that comes into play when debating data security. As a cloud customer, you are most likely sharing physical infrastructure with other tenants, opening the possibility for malicious actors to attempt privilege escalation to access your data.
Navigating multi-tenancy and multi-cloud challenges
Multi-cloud is another big challenge. It is obvious today that to avoid vendor lock-in/vendor lock-out, multi-cloud is mandatory. However, this approach, comes with another set of challenges, like interoperability and flexibility which are two essential characteristics to be able to move solutions from one cloud to another, if required. It also means you are not depending on a specific cloud vendor technology, and you will use mainly X-platforms technologies. You then become dependent from their capacity to keep their platform up to date with third party software. In any case, there is a delay between the outcoming of the last version proposed by the editor and the update of the Cloud provider on its platform. This is something to consider, as it allows zero days attack on a longer period. Multi-clouds or hybrid cloud is also far more complex to manage.
Network accessibility is another big challenge itself, as it is mandatory for cloud solutions. It requires redundancy, which can be costly as data exchange volumes increases between on-premise and cloud infrastructures grow. And finally, it does not depend on you…with on-premise solutions, you are somehow autarkic, but if your solutions rely on ISPs and Cloud providers, then you should plan redundancy with more precautions.
Additional Insights
There are two other topics that seem particularly interesting when it comes to cloud computing and security:
Governance and controls is the first one. As your information system will now be partly outside your premises, it requires a stronger governance. Efficient control structures must be implemented to monitor activities – knowing what happens, when it happens and who made it happen, and so on and so forth.
Logging and auditing are very important parts of cloud infrastructures. Regular monitoring, analysis, and adjustments to upgrading or downgrading your structure to meet your evolving needs is key. Cost management also plays a significant role. Although cloud infrastructures are generally more cost-effective, poor management can turn them into financial burdens. Therefore, as part of the job, the situation should be reassessed regularly, as well as reworking and optimizing the structure.
The second topic is the lack of expertise, which is a great deal too! Many traditional IT professionals think “Cloud computing is like standard IT, but virtualized”. In simple terms, it is not. Cloud computing offers a wide range of tools and integrated solutions in ways that have not been seen before with on-premise solutions. It evolves fast and regularly.
Your Next Move
If you are new to the field of Cloud Computing, building a team’s expertise and relying on subject matter experts (SMEs) during the initial stages of the journey is the best decision you can take to avoid wasting time trying or falling into the common pitfalls that cloud technology can present.
That’s where Ivy Partners comes in. We are ready to help and support in every step of the journey, guiding you until you are fully prepared to confidently manage your cloud infrastructure on your own.
About the Author
Sébastien Obry
SME Cloud and Security
Sébastien Obry is a SME in Cloud and Security at Ivy Partners. Engineer with over 20 years of professional experience across various domains in computer science, including more than 13 years in project and team management, Sébastien thrives on tackling new challenges in his role as Senior Manager. His expertise spans a wide range of IT fields, with a particular focus on project management, architecture, security, virtualization, networking, and cloud technologies. Sébastien’s dedication to innovation and his comprehensive understanding of technology make him a valuable asset in delivering cutting-edge solutions.