The public discussion often ends up asking the same question – are cloud services secure? Harri Kallioniemi shares insights about the crucial features of cloud.
Only in movies do the hackers hammer their keyboards in dark rooms with blinking LED lights in the background. In real life, hackers typically send targeted emails that contain attachments with malicious code that opens up the initial point of entry for them. But only if the user opens the attachment. The “human element” is hard to control in security.
What we can do is to make it as hard as possible for hackers to move forward from that point onward – by limiting their capability to gain access to data and quickly recovering from an attack, knowing that we have totally wiped them out from our systems. Implementing these measures is possible in any environment, but it’s far easier and also cheaper to do in the public cloud.
Data security is of essence also in today’s mobile working life, as millions of people use cloud-based services while performing their duties remotely. Fortunately, cloud platforms with the right kind of safety mechanisms make it easy for companies to trust that all business-critical data is provided and handled in a secure way.
The first step is to implement the proper segregation of duties. The aim here is that if an attacker gets access to one of the accounts, the exposure is limited to an absolute minimum. But the more granular your setup, the more time (i.e. money) it takes to implement. We talk about days, if not weeks, of work for each workload. This is when the rubber meets the road and we take the shortcuts where, with just one password, the attacker has gained access that is far too wide. The reason for the shortcut could be as simple as lack of time or money, but that is the reality in everyday IT.
Now, enter automation based on code – the only sustainable way to ensure proper segregation of duties with a low enough price tag and fast enough implementation time. It involves heavier initial setup costs, but then every single environment is guaranteed to be set up in the agreed secure way. Each public cloud provider has a set of best practices for how account and user access setup should be conducted.
The second step is to encrypt data. Even if the attacker is able to gain account access, they would be unable to read the data without an encryption key. Cloud platforms provide encryption for data both at move and at rest, including needed key management services. This should also solve worries one could have about the Cloud Act.
The third step is to ensure that your environment stays compliant with your agreed security and governance rules and that you have the needed audit logs. The huge difference here is that since you run code instead of performing manual clicking, you first of all know exactly which code versions have been used for each environment and thus what and how security measures were configured. And you can prove everything with logs. Secondly, you can set up alerts to notify you of any accounts set up to bypass the agreed security.
Lastly, if the worst of the worst happens and you are seriously hacked, your biggest headache will be figuring out what the attacker was able to modify and what security vulnerabilities they may have left behind. And unfortunately, this will be a fast-moving target, as the attacker will continue to operate in the environment and reopen vulnerabilities you have already closed. I have read about cases where this cat-and-mouse game went on for months, in some cases years. The only way to ensure a clean environment is reinstallation, but with the traditional manual method, this is a last resort – whereas with the Infra as Code approach we’re talking about a real and feasible solution.
These measures discussed above are not science fiction but strategies we are already helping our customers to implement today. With these measures employed, I would personally place far more trust in the public cloud to store my business-critical data compared to any other.
I also claim that with the increasing focus on data privacy and business continuity in the digital world, these measures will quickly become mandatory and be enforced by regulatory bodies and organizations’ internal security and compliance units. By adapting this straightforward approach now, you will secure your systems – and business operations – for years to come.