By Daniel Steeves, Director at Beyond Solutions and Partner with James Caan at HB Prime Advantage
I tend to agree: this cloud thing isn’t as secure as some think it is, simply because all clouds are not created equal. To be fair, though, I would have said the same thing about more than a few business and Government IT systems I’ve seen over the years. Security, much like insurance, is a matter of degrees and levels: it all depends on what you must do, what you want to do and what you can afford to do (and, like insurance, security can also be expensive).
Security, much like insurance […] all depends on what you must do, what you want to do and what you can afford to do…
Depending on where you go or what you read, the issues vary but the underlying concerns about Cloud security seem fairly standard: concern about the lack of control over cloud-based environments; concern about access to data and systems from outside of the walls of the business combined; concern and uncertainty as to how to manage current threats, both targeted and random, let alone whatever comes next.
Truth be told, much of this stuff is, relatively speaking, straight-forward if not easy once you’ve done the work, determined your needs and selected the correct, trusted partner (who has passed the requisite due diligence which any business with any significant level of security requirements or concerns should insist on).
And you do need to look closely… can’t imagine we’d find too many cloud or other IT managed service providers, or cloud-based software or things-as-a-service that are offered or marketed as less than secure… but what I said at the start about clouds applies equally to security offerings: not all are created equal. To be fair, the security needs of, say, a country-wide building supplies chain are clearly not equal nor as critical as those of an NHS Trust or an insurance company.
“A move from self-hosted to the cloud typically improves security”
The fact remains, though, that moving systems and data from a less-than-secure facility in the corner of the office to the cloud does typically provide for better security than was in place before. It is the business and expertise of that Cloud provider, who is meant to have the expertise, the processes, the mechanisms and the economies of scale to cover the physical, systems and human aspects of security.
Beyond Physical and Systems Security
But, according to the industry and the numbers, someone might still get in… locks and alarm systems don’t always foil the clever burglar and so goes it with information security. It could also be that someone from within is trying to take something out, either maliciously or inadvertently (and, after all, the weakest links in the overall enterprise security chain are often the human ones).
To say that things have changed is an understatement: from the nature and magnitude of information and data held by companies and Governments to the methods, motives and sheer numbers of attackers looking to access it, it is a difficult environment to fathom for many, let alone manage. Even for those succeeding in doing so, those who are clever enough to in-build security rather than continue to treat it as an add-on, the evolution of business technology is occurring at a rate that is stretching current strategies to their breaking point.
With Benefits come Risks (duh!)
Businesses are always looking to technology to provide an edge, to help earn a little more or spend a little less and to move or keep ahead of the competition who they perceive to be doing similar things. This reliance on and the contribution of technology to the bottom line (and in some cases, the survival of the business) is most often rewarded when a business transforms form and function to fully take advantage of the capabilities being delivered.
A funny thing happened on the way to the cloud, though: just as these evolved technologies are delivering the capabilities to derive some serious value from those masses of information, the combined use cases of cloud and mobile tend to involves scattering that valuable information, that newly discovered asset, feeling like it is almost to the wind!
If the information and systems merit protection then logic dictates […] that even if the data gets into the wrong hands, that the data is worthless. To me, that means end-to-end encryption.
Data is suddenly everywhere, as are the (increasing) numbers of people and access points and I believe a radical, current view requirements-focused redraft and rethink of security strategies is needed for a majority of businesses. Guarding the perimeter is well and good but provides little value for things outside of it: so, guard against but accept the potential – or even the inevitability of a breach – which takes us to step two. If the information and systems merit protection then logic dictates that you ensure that even if the data gets into the wrong hands, that the data is worthless. To me, that means end-to-end encryption.
“Encrypt data as generated, if that is what you need to do”
Now, with complete awareness that some of my more in-depth security colleagues might find the following a little too simplified (and I open the floor to their learned elaborations in the comments below) I believe that building a modern “infosec” strategy architecture (designed so as to flex, scale and adjust with the needs of the business) is a combined effort of three things taken from three focuses of three different views, all circling around the data of the business to deliver effective, audited and controlled access to authenticate users, devices, systems and locations:
A combined understanding of the requirements from the Business, the Technical and the Security camps, considering:
- Systems, Data and People, each of which access, move and store data, which should be from generation and for its lifecycle, to be
- Encrypted with a rigorous Key Management mechanism backed up by a well-formulated, well-communicated and well-enforced Security Policy.
After all, if someone manages to get past your secure facilities which house your secure systems managed by your security-cleared people there it is still another matter to crack 256-bit AES.
There are a lot of corrupt little minds out there: if your system is connected and they want to get at it, then they will find a way.
In closing, a quote of my younger self taken from my weekly “Computer Corner” column in the business section of an Ottawa newspaper in the late 80s discussing personal computer security “There are a lot of corrupt little minds out there: if your system is connected and they want to get at it, then they will find a way”.
So, things may have changed immeasurably but they really haven’t changed that much!
Daniel is a Director at Beyond Solutions, a Thought Leader for Compare the Cloud and Partner with James Caan advising small business at HB Prime Advantage. You can reach him at firstname.lastname@example.org, and follow him on Twitter @DanielSteeves.