Organisations of all sizes continue to leverage the benefits of public cloud. In fact, 100% of all clients were utilising some sort of cloud offering, mainly SaaS (Software-As-A-Service) in 2019.
Public cloud has grown exponentially throughout the years, Oracle recently made 10 predictions about the future of cloud and said that: “80% of all enterprises (and mission-critical) workloads will move to the cloud by 2025.”
As an information security professional, I always recommend organisations of all sizes and sectors consider utilising some of the services offered by public cloud service providers like Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP) and others. Organisations can rapidly benefit from the increased efficiency, scalability, availability, improved security and agility they offer.
The convenience and ease of access to public cloud increase the risk and the likelihood of hackers using this technology to easily hack into your organisation systems and data. Public cloud providers continue to expand security services to protect their customers. However, it is the customers’ responsibility to secure their systems and data within this environment, just like on-premises.
To get the best out of the public cloud and drastically reduce the risk of being hacked, all organisations planning to use new services or move on-premises workload to the public cloud must define a comprehensive migration plan. This needs to feature cloud secure architecture for any type of application or services including testing, development and production environments. As a minimum organisations must have:
1. Competence
I cannot stress enough how important it is to have a competent team/person responsible for analysing your business, defining requirements, designing the strategy, identifying solutions, setting priorities and performing migration and/or implementation.
2. Perform an analysis
You need to determine why you need to migrate an on-premises workload or utilise new public cloud resources. Clearly understand your business and workload needs. Following that you must analyse which public cloud service provider will offer the best for your requirements e.g. would it be AWS or GCP? Which one is in compliance with your industry and contractual requirements?
3. Establish baselines and KPI
If you decided to utilise Infrastructure-As-A-Service (IaaS) have you defined the baseline operation system, allowed ports and services, password complexity, remote access requirements and local account permissions? “A good reference for information security baseline is the CIS Benchmark.” Following that, you must define and track critical metrics such as system availability, security threats and incidents and system capacity.
4. Testing
Run comprehensive testing against your defined baselines. Additionally, you must include penetration testing, vulnerability assessment, performance testing, configuration testing, user acceptance testing, technical testing, continuity testing and more.
5. Safe and slow
Everything tested and ready to move to the cloud? Make sure to move your workload very slowly, there’s no need to rush here. Clearly define which workload should be migrated first, then move small pieces of your workload one-by-one, step-by-step. Move “as-you-test”, making sure your workload is working as expected for a certain period of time before moving any additional workloads.
Public cloud providers offer amazing capabilities and services which are easy access, highly scalable,providing improved security. However, when badly implemented it may cost your organisation its reputation, precious assets, hefty fines or even worse. Your organisation must take all the necessary steps to protect the data, systems and services prior to and after moving to the public cloud.
Always remember, it is much easier to control and secure an environment that you build properly from scratch, rather than fixing holes in a badly configured environment where there is a high likelihood of leaving the doors open to your organisation’s data, systems and services.
