Experiences and opinions were initially very similar to those mentioned in discussions on traditional cybersecurity. Then the pandemic struck, the global market economy caught a cold, Russia invaded Ukraine, and Finland and Sweden made the decision to seek safety under the NATO umbrella.

These topics are in the news on a daily basis, but let us have a look a bit further down the line.

Hybrid-, information- and cyberwarfare catches many organisations by surprise. Even the best information security strategies, preparedness exercises and cybersecurity solutions are rendered useless when the main pillars of the infrastructure are not available as usual. We are used to a situation where the risks to enterprise architecture are caused by isolated threats, such as random cyberattacks, malware or technical issues with IT infrastructure.

Organisations can protect themselves from problems by means of strategies, policies and often technology. With large-scale cyberwarfare, the emphasis is on hitting the enemy where it really hurts, which means targeting national infrastructure. Demanding action or blaming service providers for problems does not help when information systems have been hit by custom-built ransomware, telecommunications (including mobile networks) are down and experts cannot reach the workplace because card and mobile payments have stopped working and they cannot buy fuel or a bus ticket. There is a massive difference in scale between cybersecurity and cyberwarfare.

People are becoming increasingly aware of the fact that urgent action is needed because the next few months will be a risky time for Finland. No-one knows how Russia or groups supporting its aims – such as cybercriminals – will react.

Until recently, many doubted the security of public cloud services, and the responsibilities of users and service providers remained unclear. It is only now that people are starting to realise that the truth is completely different. Providers of hyperscale services spend vast amounts of money and time on improving cybersecurity every year. Because these services are available globally, their providers encounter a wide range of cyberattacks, often on a massive scale that smaller organisations or even national governments would encounter only in the context of cyberwarfare. Scenario practises and various risk analyses have shown that public cloud services are the most secure place for organisations to store information and carry out business activities – they are physically far removed from conflict zones. The initial assumption was that data – like people – would be safe and secure within physical borders. People have finally realised that the situation with data is the opposite and that the most secure solution is decentralised storage, spread across the virtual world.

Does this mean that we can say good-bye to cybersecurity problems once our data storage and business activities are securely in the cloud?

Unfortunately not. Cybersecurity risks are like energy: they never disappear, they just change their form. Indeed, respondents of the annual Flexera State of the Cloud report have listed data security as the main challenge with public cloud services for the last decade. In 2022, 85% of respondents still identified it as the number one challenge. The biggest challenge was initially that organisations and their IT service partners did not have sufficient knowledge about public cloud security.

The first challenge with cybersecurity is the lack of sufficient knowledge.

Public cloud service providers use a shared security responsibility model: this means that the service provider is responsible for the physical and data security of the public cloud it provides while the user of the service is responsible for the security of its own data (connections, identities, configurations and enterprise data).

Image: Amazon Web Services shared security responsibility model

Although this model is straightforward, it causes a problem. Responsibility and accountability have always been a challenging aspect of cybersecurity. Almost no-one wants to assume responsibility, and there is a tendency to try to shift the responsibility for cybersecurity entirely to the service provider or data security partner or even push it onto the organisation’s own data security manager.

The second challenge with cybersecurity is responsibility.

If the public cloud is utilised correctly as a cloud-native solution, it does not fit in well with conventional operating models. Enterprise architecture models, such as TOGAF, include extensions for public cloud processes (Open Group Cloud Computing Work Group), but these are often inflexible and they do not allow for the full utilisation of the processes of constantly evolving, increasingly optimised and agile public cloud services.

In terms of cybersecurity management and processes, the provider offering the public cloud service takes care of the security of its own physical infrastructure. The IT service partner does what has been agreed with the client. The client assumes that its partners will take care of data security issues and cybersecurity. Strategy-level coordination and management of roles and responsibilities is often left out of this triangle. Requests and requirements are communicated to the operational level, which turns them into practical technical solutions. Cybersecurity management is left to the data security manager or someone else in a similar role, and in-depth cooperation between the three parties is not possible due to a lack of management-level support.

The third challenge with cybersecurity is governance and processes.

“Purpose-built” is one of my favourite terms. It means that something has been designed and built for a specific purpose. In the world of IT, it means that something can only be used for a limited purpose. The public cloud is not this kind of solution. The public cloud offers almost unlimited possibilities, so it is in fact the exact opposite of a purpose-built solution. I believe that the public cloud can offer more reliable and resilient cybersecurity than any other IT ecosystem built for general use.

If the three cybersecurity challenges I have listed above have existed since the introduction of public cloud, why have there not been serious security breaches or cybersecurity vulnerabilities? Any incidents have been occasional faults or small-scale data breaches that have affected the environments of individual clients. Public cloud (hyperscale) infrastructures have remained almost unbreachable, and no serious vulnerabilities have been identified in services built by IT service providers.

When Windows operating systems made the leap from personal computers to servers, the majority of hackers and later cybercriminals chose Windows operating systems as their main target. Older UNIX systems and their applications in particular were largely spared from attacks. This target vector was not interesting because of the specialist knowledge required; Windows was an easier and more interesting target.

At some point, Linux replaced Windows servers in demanding enterprise use, and today the majority of companies’ core business systems and enterprise resource planning (ERP) systems run on Linux servers. Linux-based systems are also a common choice for running virtualisation platforms. The interests of cybercriminals have also changed, and Linux is today at least as interesting as a target as Windows server environments. Both attacking and protecting these systems requires more and more specialist knowledge.

I believe that this is also the reason that has kept public cloud secure until now.

The fourth and most significant challenge with cybersecurity is a evolving risk vector.

The changing geopolitical situation emphasises the need for more stringent security requirements. The national and international economic situation means that operational scalability and ability to react fast are increasingly important and companies need agile cost-efficiency. The public cloud has become the place where all of these needs can be met at the same time. The cybersecurity challenges are still the same, however. Cybercriminals and those involved in cyberwarfare will find themselves a new, attractive and impactful target – public cloud services. Public cloud services will become the most lucrative target for cyberattacks over the course of this year.

I personally believe strongly in the superiority of the public cloud as an IT ecosystem. Hyperscale providers do outstanding work in their efforts to secure their infrastructure, and they publish new data security capabilities on an almost weekly basis – in the case of optional data security components, the supply exceeds the demand. IT service providers have cybersecurity teams and services specialising in public cloud security, and data security companies are developing more and more sophisticated and effective data security technologies to secure the data stored in public cloud services.

Tackling the challenges I have mentioned requires one additional change. Organisations utilising the public cloud must understand that cost-efficient does not automatically mean the same thing as cheap. All new things require effort and investment. For many organisations, saving money is the main reason for choosing the public cloud. Saving on the wrong thing will always lead to regret, regardless of whether the savings involve a conventional solution or a public cloud one.

Want to know more? Connect with me in LinkedIn to start a conversation.