Jakub Jirsák - stock.adobe.com
What is CIO best practice when it comes to cloud security?
As businesses increasingly adopt cloud-first strategies, how can they ensure their security is up to scratch? Computer Weekly asks the experts
Modern businesses continue to invest more heavily in the cloud than ever before. Global enterprise spending on cloud services is projected to grow by 17.3% in 2019 to total $206.2bn, up from $175.8bn in 2018, according to analyst Gartner.
While the cloud provides a range of business benefits, such as agility, flexibility and scalability, it also brings challenges around implementation, particularly when it comes to information security. Businesses can be reluctant to push data to the cloud, with Gartner reporting that some CIOs continue to inhibit the use of public on-demand services.
However, with more businesses choosing to adopt a cloud-first strategy, it is essential that CIOs prioritise their security strategy. So, what does best-practice cloud security look like? Six experts gave Computer Weekly their take on the best way to establish an information security strategy that is fit for the on-demand era.
Treat data in a consistent manner
Barry Libenson, global CIO at financial data company Experian, said a strong cloud security strategy must be part of the standard working practices of a modern, technology-enabled business. His firm’s personally identifiable information (PII) resides in a datacentre in Dallas; non-PII data is stored in Amazon Web Services (AWS).
Libenson said Experian runs different workloads in different places and always allows for dynamic scaling into the cloud. The automated environment means computing power is added and removed on-demand in response to developer requirements. Data is fully encrypted at rest and in transit – and governance is a key priority, said Libenson.
“It’s all about recognising the fact that just because something goes to the cloud doesn’t mean you absolve yourself of the security responsibilities,” he said. “While I think AWS and Microsoft do a very good job on the security side of things, the responsibility still lies with us to ensure that customers’ information is kept secure.
“Anything that is in the cloud we treat in the same way we would if it was in our own datacentre and it has the same security requirements regardless of where it is located. So, all PII data must be encrypted at rest as well as in transit. That can make compute more challenging because of the incremental overhead that it creates, but the stack has to be built with that in mind – and it hasn't been an issue for us.”
Focus on staff training
Richard Orme, CTO of Photobox Group, is another IT leader who says cloud security must remain at the forefront of any modern business, particularly one dealing with large quantities of data. Photobox typically ingests between three and five million photos a day, with that figure rising to a million an hour during peak periods.
Orme says Photobox has more than 6.5 billion photos uploaded to its platform. “It is an incredible amount of data and it requires serious upkeep, and so our 9PB migration to AWS last year was essential,” said Orme, adding that the move to AWS provides a boost in terms of innovation and security credentials.
“Amazon is almost unparalleled when it comes to data security – they are at the top of the game in this sector,” he said. “Our security has only become stronger by being a part of that ecosystem and sharing their resources. Today, I think tech leaders are realising we are much stronger building security systems and practices together than we can be going it alone.”
Photobox is therefore benefiting from putting more trust in an external technology provider. Yet great cloud security is not something that can be simply outsourced, said Orme – CIOs must also focus on internal processes, particularly around staff.
“On the ground, the most important thing is education,” he said. “Regular training for your team, and constant refreshing of best practices and workshops to keep all staff up to date on data security and hygiene, are all essential. This learning process is key to security becoming a part of the cultural fabric of the organisation, rather than a check-box exercise.”
Create a shared responsibility model
Gregor Petri, research vice-president at Gartner, is another expert who believes negative perception surrounding on-demand IT is waning, particularly when it comes to information security. “The general consensus now is that cloud services are more secure that any approach you can take internally,” he said.
More and more businesses are benefiting from tapping into the expertise of a specialist cloud provider. Yet, as Photobox’s Orme said, working with an external partner does not guarantee that your applications and data are safe – and Petri is another specialist who stresses the importance of internal processes.
“We expect 90% or more of the incidents that occur will be caused by people working on a perfectly safe cloud, but doing something that is not secure,” he said. “You must really ensure that the people across your business use the technology in the right way.”
Read more about CIOs and cloud
- European organisations are moving to the cloud rapidly, but trepidation remains over certain aspects, such as security.
- Telegraph Media Group CIO Chris Taylor on why the newspaper publisher is switching out AWS to go all-in on the Google Cloud Platform.
- Speaking at Cloud Expo Europe, Ministry of Justice CDIO Tom Read says CIOs must be prepared to make their own roles redundant by embracing commodity cloud services and utility computing.
Petri suggested that staff training is just one important element of a strong cloud security strategy. “Part of that process is about education and awareness, but it’s also about understanding the shared responsibility model,” he said. “You need to understand that cloud providers are expected to do some things and your business, as the customer, is expected to cover other areas.”
Petri said the shared responsibility model varies depending on whether the business is using infrastructure-, platform- or software-as-a-service. He advised CIOs to pay careful attention to roles and responsibilities.
“You must understand what is expected, how the technology is implemented, how you can monitor usage, and how you can ensure you don’t turn off crucial security features or leave data exposed to the internet accidentally,” he said. “There still needs to be a lot of maturity.”
Develop a broad assessment exercise
Alan Talbot, CIO of Air Malta, said the cloud has come a long way in the past few years, but IT leaders should avoid complacency, particularly when it comes to contracts and service-level agreements. “You will create ironclad guarantees with providers, but when you hear of breaches, those guarantees aren’t worth much,” he said.
Talbot said one of his key achievements since becoming CIO of Air Malta in late 2016 has been the complete overhaul of the company’s IT infrastructure. These systems were outsourced previously, and the assets were not owned by the airline. Technology management has now been brought back in-house, and the company has also invested in two datacentres.
“I guess one of the good things about maintaining your own applications is that you can see the green light flashing in your own datacentre,” said Talbot. “You can feel in control and you can add multiple layers of protection – and if things do go down, at least they’re going down on your terms.”
Talbot said his hybrid approach demonstrates that, although the cloud is important, buying tin remains an important tactic for some CIOs. For IT leaders who are choosing how to store their data, security will be a consideration – but Talbot said it should be seen as part of a broader assessment exercise.
“Security shouldn’t be the key factor when deciding between the cloud and an on-premise solution,” he said. “It is one of the risks that you need to assess, but it shouldn’t be the deciding factor.”
Ensure security by design
Amitabh Apte, global director of digital integration at Mars, also recognises that IT leaders face a number of considerations when moving services on-demand. But he insists that security must be the “number one challenge” for businesses considering whether to move applications to the cloud.
“Where is your data, who owns the data and who has access to your data?” he said. “I speak to some CIOs who still don’t want any data in the cloud because of the fear of losing control. So it depends on how you look at using the cloud.”
Cloud strategy will differ depending on the individual and the host business, said Apte. Yet some best-practice techniques should be embraced – and the basic principle that is often repeated by industry experts when it comes to the cloud is to ensure security by design, he said. Here, CIOs work to incorporate security at the application design stage.
“Think about security as you’re building your products and services, not as an afterthought,” said Apte. “The General Data Protection Regulation and other regulations help, but I think you need to look for providers – such as MuleSoft, who we work with – that give your business the right security principles out of the box.”
Concentrate on the information
Independent analyst Clive Longbottom said there are still lessons to be learnt in cloud security. Focusing on physical, application or database security is pretty useless when so much information will be crossing beyond the boundaries of platforms and beyond the control of enterprise IT teams, he said.
Increasing numbers of businesses are choosing to take advantage of containers and to create cloud-based microservices that can be moved around as business demands change. To meet this requirement, Longbottom suggested a different approach – moving the focus of cloud security from the platform to the information.
“If you are running container-based microservices, a compromised container can be killed and re-provisioned in seconds,” he said. “Data is just data until it is analysed and becomes information. The real value is in this information – and if this is compromised, then the business’ intellectual property is gone.”
Longbottom said business looking to create an information security strategy for the cloud should consider technologies such as data leak prevention and digital rights management. “These tools can help an organisation to control access to information assets no matter where they are, even when they are held beyond the enterprise firewall on a supplier’s or a customer’s hybrid cloud platform,” he said.