Securing the journey to the cloud
At a Glance
Cloud computing brings immense benefits but cybersecurity can sometimes be an afterthought. In this article, Wolfgang Baumgartner examines how organizations can implement cloud security, and where responsibility ultimately lies for securing the cloud.
4 Minute Read
Cloud computing offers a wide range of benefits for organizations of all sizes. It can deliver significant cost and efficiency gains, help them remain flexible, offer near endless scalability and enable companies to quickly adopt innovations to stay ahead of the competition. Those who adapt first will become technical innovators and position themselves as leaders in an ever-changing market.
Cloud security matters right from the start
Many organizations that migrate to the cloud treat cybersecurity (and cloud security in particular) as an afterthought — something that is only considered after the migration process is finished.
This leaves the system vulnerable and causes organizations to miss an opportunity to deeply integrate security into the architecture.
Integrating security after migration has another drawback as well, as it can be particularly challenging. Incorporating the cloud into an organization’s existing security program is not as straightforward as
adding a few more controls and dashboards. Instead, a thorough assessment of the business requirements and solutions in use is needed to develop an appropriate security strategy.
Deutsche Telekom IT cloud transformation
The complexity of implementing cloud security
At Atos, when we perform a proactive cloud security assessment, we move through different environments to identify vulnerabilities and elevate our privileges. A common observation from these assessments is that many of our clients are unsure of their own set-ups. In order to successfully move
to the cloud, they need to understand how the process works.
There are some stumbling blocks on the road
like the question of who will be responsible for the migration. Whoever is nominated as the responsible person is not necessarily trained for this action. Quick training from the provider will often solve the problem, but they build what they know (namely networks) and include only network security. Unfortunately, that covers just one part of the necessary measures.
The duality of the data layer (old school with packets, services running on virtual machines and data being transferred and stored) and the control layer (which orchestrates resources, permissions and security) must also be considered – a very complex situation.
Responsibilities and permissions
One key aspect to consider is that security in the cloud is always a shared responsibility between the public cloud provider and the user. Organizations often believe that the cloud is secure since “the big providers know what they are doing.”
However, they may overlook that the provider is only responsible for physical protection in a data center and the virtual separation of the data for different customers. The user is ultimately responsible for everything that is stored within the cloud. Companies should not underestimate their own role in the security approach, because it is sometimes unclear where the responsibility stops — and it’s possible to build highly insecure applications on highly secure offerings.
Another important topic is permission management. It is common to use the deny approach, where existing permissions and options are restricted. Very often, the system’s cloud set-up is comparable to what our teams see in onsite security: everything is running as root and everyone has access to everything. The better approach is to decide beforehand who should be allowed to use a specific service.
Digital Vision: Cybersecurity 3 – Further Insights
From across Atos and beyond, find out more about cybersecurity challenges and how organizations can respond to cyber threats