Last month, Amazon announced that its public cloud offering AWS generated $2.88 bn in revenue, up 58% on last year. The momentum of the adoption of public cloud services by business seems unstoppable. Amazon Web services (AWS), Microsoft Azure, Google, IBM Softlayers and others are growing rapidly by addressing an insatiable demand for very scalable server infrastructure. Business people appear to have overcome initial security concerns about placing some of their data on someone else’s servers connected to the public networks often in a different country.
This does not mean that the validity of those early security concerns has gone away – simply that the reduction in running costs offered by cloud services is overwhelming. Adoption of cloud services represents a momentous change in strategic IT direction and it is important not to dive headlong into this without clearly understanding the security and risk-based implications. Here are some questions to test your thinking that become most relevant when the number of cloud instances supporting your business grow much beyond 50 (my age.)
- How do you visualise your network security policy ?
- How do you consolidate policies across multiple regions, accounts and clouds ?
- How do you provide secure access to your cloud security groups and policies ?
- How do you continuously monitor and audit configurations cross your estate ?
- How do you ensure file integrity monitoring and other compliance controls are maintained ?
- How do you deploy security management and accountability policies to control your new cloud IT operation teams to protect against internal or external security compromises e.g. stolen credentials, unauthorised changes, API attacks ?
Considering the growing complexities of today’s data, use cases, compliance mandates, and so on, it is not surprising that companies often struggle to understand how to protect and secure their data, their customers, and their very existence before moving to (or expanding on) this new cloud infrastructure. Perhaps it is easier to adopt a touching belief in the invulnerability of big brands and blindly trust them to look after your data for you.
AWS is a cloud service provider that is on just about every company’s radar today, ranking number one for the fifth year in a row as the top IaaS provider in Gartner’s Magic Quadrant. So using AWS as an example, they do provide security tools within the service kit bag – but many customers that I have spoken to feel they are not adequate and certainly do not answer the questions posed in my blog, when the scale of adoption reaches the above mentioned tipping point – my age !