When security REALLY matters, the cloud delivers
Should you worry about security in the cloud?
By now, a lot of us in the technology industry might be inclined to say ‘no’. But, despite the immensely solid underpinnings that cloud providers like Microsoft deliver, the correct answer is always ‘yes’. Yes, you should worry about security in the cloud, in much the same way that you always had a level of concern for the security of your data when it was under lock and key on premise.
Or maybe worry isn’t the best description for it. Instead, just simple good practice to know and understand the risks, the measures and the structures around which your data is protected. And of course, you should look for assurances that your data in the cloud is in fact as secure as it possibly can be.
Not so long ago, there were valid questions around issues like data sovereignty and the safety of data in transit when using public cloud services. These issues were probably most prevalent in government circles; most governments are, for good reasons, typically not renowned for their innovation and willingness to sit on the bleeding edge of technology services. They are also responsible for setting the laws with which we as individuals and businesses must obey, and those laws include how data should be handled and protected.
The good news is that along with the maturity in public cloud services has come an overt willingness from governments around the world to at least consider using these services.
Now, in New Zealand, we are privileged to enjoy a public sector which delivers some of the most accessible and efficient services of any on the planet. You’ll routinely hear expats from America, the UK and especially South Africa commenting on the extreme ease with which they now do business with the IRD, the Department of Transport, the Department of Internal Affairs, and others.
It’s this overriding interest from our public service in delivering for citizens in the best possible way which is behind its particular willingness to embrace better ways of doing things.
A government mandate for the cloud
Governments by their nature must be arguably even more if not worried, then certainly attentive to information security requirements. With no competitive pressure, there’s no need to do anything risky.
That’s why the introduction of the Cloud First policy in 2016 is such a ringing endorsement of the suitability of the public cloud for even highly sensitive use cases.
What this policy is achieving a few years later, is IT services which are more accurately tailored to the specific government organisation which needs them. Whereas in the past, for reasons of cost control and practicality, each department would consume shared services, the cloud means every agency can specify and access the precise services which work best.
At the same time, we’re seeing the emergence of what Microsoft calls the Modern Workplace. This reflects the way most of us live and work today: the boundaries are disappearing, we make use of ‘micro moments’ doing bits of work on the bus or in between activities at home, and we expect to access and use our work services wherever we might be.
All of that is enabled by the cloud. With modern devices and modern cloud services sitting in Azure, people are no longer tied to their desks. Government services, already impressive by international standards, are getting even better, with more being done at a lower cost.
And it is all secure
Over the past 18 months or so, there’s been some acceleration in the adoption of cloud by government services – even those services which deal with expressly sensitive information at the heart of the State.
There are at least two simple reasons for that: the first is that cloud works. Whether platform as a service, infrastructure as a service, software as a service or a combination of all three, it delivers what it promises.
The second is that cloud is secure. Microsoft spends something like a billion dollars per year in making its cloud services secure, in a very real sense putting its money where its mouth is.
Then there’s trust which comes with proven use cases and demonstrated experience in delivery. It’s often said that nobody wants to be first with new IT solutions, and it’s for good reason; first always has an air of the guinea pig about it. But with a growing track record comes growing comfort, with the decisions becoming easier particularly when there’s established support from the supply chain.
These factors are increasingly combining, with public and private sector alike, acknowledging that in most cases, the best way to do IT is cloud.
And when it comes to security, the cloud delivers.
Security Architect/Consultant CISSP, CCSP, SABSA SCF, CEH
5yGood article Daryl but what organisations need to understand is that with all the great things cloud providers are doing around security of their cloud services and the amazing offerings to transform business, it is the organisations responsibility to ensure security in the cloud, not the providers. This is known as the shared responsibility model and depending on the service customers are consuming, be it IaaS, PaaS or Saas, the cloud service providers responsibility stops at a certain point and it is then the customers responsibility to ensure security of their data. Eg for IaaS, customers need to secure the OS, patch, scan for vulnerabilities, manage AV, encrypt data etc. CSP’s and third parties do offer services to help customers with security but the customer need to realise where the CSP stops performing certain activities and the customer takes over. The likes of AWS, Azure and other CSP’s provide details on their web sites of their security responsibilities. Hopefully the sooner more organisations are aware of this, we will hear less of breaches such as unencrypted data loss, O365 password hijacking due to no MFA, services accidentally exposed to the internet etc.
Customer & Partner Advocate, IBM Storage Lead NZ | Ngāti Kuri | Ngāti Whātua - Te Uri O Hau
5yIts an interesting time Daryl Isaac great write up!.
Career Break | Professional Dad
5y''The second is that cloud is secure'' This is very misleading. Cloud may be 'secure', but it's all about how you implement and configure it. Which concludes in it not being 'secure'.