Continuing this series of posts related to the cloud, it’s time to talk about how to face the world of possibilities that the cloud offers. This article aims to shed some light on such a huge task and to show different aspects to be taken into account. It is an interesting path, with multiple options, which can bring enormous value both to the business and to our quality of life, as long as it is approached from an objective, realistic and critical point of view. We should not be reticent to change, but neither should we apply change for change’s sake.
Leaving philosophical mantras aside, saying that the cloud is the panacea makes as little sense as saying that the cloud does not bring value to the business.
As always, and sorry for the insistence, it will depend on each organization and its needs. What is fundamental, within the analysis of the business case and in calculating the return on investment of the implementation of these new technological paradigms, is that the consequences, needs and capabilities of security are considered. Both in the process of migration to the cloud, as well as in the face of any technological change.
Having said this, and getting to the point, there is no doubt that migrating to the cloud has a significant cost. Whether this cost is greater or lesser will depend on how you compare, but it can be said that it is not a “cheap” decision. If we do the simple exercise of comparing a physical server to a cloud server, the difference is fairly clear. However, putting everything into context, and above all, emphasizing security, there are many other costs to be assessed.
Nowadays, any cloud provider, of whatever nature, offers a broad range of interesting options, and the trend shows that we are heading towards a scenario of hybrid multi-cloud infrastructure, in which assets or services coexist in different CSPs, along with services whose location we do not know, as well as on-premise infrastructures.
However, for each of these services and infrastructures, it is necessary to consider information protection. There is no point in having a firewall in an overprotected datacenter if a remote desktop is then published on the Internet from the cloud infrastructure, with multiple vulnerabilities, and which also offers direct access to the local information repository. The security strategy, and its application to the design and implementation of the infrastructure needs to be global; security must participate in each area and cover our entire security perimeter.
To do this, it is necessary to know how all the actors involved perform in security issues. The tools they offer, how responsibilities are distributed, if we can assume the security needs of each platform, or if the expense is within our budget.
Another aspect to be assessed and which is increasingly being taken into account is the legal aspects of hosting information off-shore, which can be a determining factor when choosing one service or another. If, for example, the organization needs to host information from healthcare environments, it is necessary to know the existing geographical limitations, which may determine the infrastructure and the provider chosen to provide service. Along these lines, the European Union itself is developing a program, called GAIA-X, to avoid technological dependence in the field of the cloud from non-European companies, but above all so that Europe can control and prevent access to data and information from European companies.
As far as the technical aspects are concerned, which we will break down in future articles, it is necessary, as always in the area of security, to balance the needs and the available budget. We would all like to have a Firewall-IPS-WAF-AntiDDoS-CASB-IDS-(insert any perimeter security tool here) at each of the infrastructure access doors, but unfortunately the budget is (always) limited. This forces us to study the needs and criticality of the assets and data, the services demanded by the business, the existing possibilities, and to define, with all this in mind, the security strategy in order to deploy a secure infrastructure.
On the other hand, the use of transversal tools that cover our global needs is imperative. If we choose to deploy a vulnerability scanner, it must be able to cover the entire infrastructure; if we use a tool to monitor availability, it should cover the entire infrastructure, and not have five different tools for each environment. If a specific policy is established for virtual machines with a given operating system, it must be transversal to all virtual machines, wherever they are, with their corresponding particularities for each environment. If it is necessary to control the users, accesses and permissions, a tool will be needed for this to be done globally, not having 10 users for the same person and with different access rights controls on each platform. If I define a specific update policy, it must be applicable and cover the entire infrastructure. And in this way, we could cover many different situations.
It is also important to bear in mind that the cloud offers multiple tools in addition to those existing in the on-premise infrastructure, whether with free or paid versions, so knowing each option and assessing what it offers for each case is essential; I have looked for graphics that show the different security tools of the most used cloud providers, but I gave up when I saw the volume of possibilities offered.
In short, migrating to the cloud is possible, but with a clear vision, and always taking into account the implications and needs that arise in terms of security. Ultimately, we must not forget that the organization is responsible for protecting its information, wherever it is hosted.