As businesses move to a ‘cloud first' strategy, they should always keep data security top of mind. Early in the process, they will need to choose a third-party provider partner, whose terms and conditions align with their own business strategy and understands all the issues around data sovereignty.
Businesses need to ensure data transitioned to their provider's care is encrypted the moment it lands. They must also decide what data they want to move into the cloud. That's why the hybrid cloud model is becoming de facto for businesses who want to retain more sensitive customer data within local resources.
A key issue for any organisation running hybrid cloud is: do they have a security policy that works seamlessly across on-premise and cloud? If somebody wants to access the business' on-premise data they typically go through a gateway. However, if an employee tries to access data in the cloud, the business will likely lose control over that process. Many cloud services will come with user name/password authentication out-of-the-box and that brings further risk. The challenge for the business is to manage and mitigate that risk just as it would its on-premise risks. After all, cloud data belongs to the business not the service provider, and the business is ultimately responsible for protecting it.
This concern plays into wider issues around visibility. Organisations can set up a virtual private cloud (VPC) but if they want to know exactly how their applications, databases and web front-ends are interacting, they'll need an additional technology layer.
A key part of this is to increase the authentication level devices require before they gain access to data stored on the public cloud. Businesses can deploy an authentication portal or an access broker, so that if a user wants to access data in the cloud, they must authenticate via the business' own domain. This helps the organisation establish control over who can access its private data and from what devices.
Once again, visibility is key. In line with that, many leading security vendors are bringing out virtualised versions of their firewalls, capable of sitting in the cloud. That's important because if a business has its own data centre and in-house security and policies in place, it has visibility over its data. However, if the same business then moves some data to the cloud then they no longer know for sure which data centre it's stored in, which rack it's kept on or which server it's connected to.
A VPC offers one potential route forward. However, if a business could instead simply take the same firewall it's using in its data centre, virtualise it and put it in the cloud, it has effectively widened the security out of its data centre – from the physical into the virtual world – and the security will be consistent across the different environments.
Such an approach gives businesses an extra layer of security on top of what the cloud service provider is already delivering. It also means that when the business looks at its overall security estate, it effectively does not matter whether the firewall it is deploying and the rule set it is generating applies to a physical data centre or a virtual one in the cloud. There is a single management platform; a consistent consolidated view and the business knows at a glance exactly how many policy violations it has had.
More companies today are adopting this kind of approach. Increasingly, they are even moving further down the line into the world of containerisation, micro-segmentation and micro-services, to develop smaller security platforms which no longer require an in-built operating system but still retain the same consistent policy engine.
So, in summary, we are seeing a growing number of businesses moving to the cloud and implementing a cloud first approach - but they still must not neglect the security challenges.
Before businesses move to the cloud, they need to find a provider they can trust; define which services and applications to migrate and then put an effective security policy in place. Across this process, they need to find some form of access broker and an adaptive authentication mechanism that delivers optimum control. They should also consider putting in place a virtual firewall as an additional security layer. Do all that and they will have gone a long way towards achieving a fully secure approach to data access and be better positioned to reap the rewards that moving to cloud services can bring.
Contributed by Dave Nicholson, Technical Sales Consultant, Axial Systems
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.