Cloud Security and Compliance Considerations
I speak to many CIOs and CTOs about cloud and we often walk into a room where I get folded arms when I start talking about the benefits of cloud. I realise that the only reason I’m in the room is because they have a KPI to investigate cloud technologies set by the CEO or CFO who see the business and cost benefits. In this situation there are two main objections that are generally raised that are apparently hampering their move cloud; these include data security and compliance concerns for cloud-based workloads. At this point I just want to take out a rolled up a newspaper and Wham…Wham, Wham, Wham! I want to take some time to go over a few items that you should consider:
- Is cloud PoPI compliant?: Most South African companies just want to know if the large cloud providers are PoPI complaint, like they just want to tick that box and move on… but it’s not that simple and obviously they don’t have a clue what PoPI means. From the cloud providers point of view, they are defined as the operators in this scenario, this means that their responsibilities are limited to issues of confidentiality and notification in the event of a system or data breaches, which they do! The main aim of PoPI is to ensure the protection of personal information and thus the onus of ensuring this lies with you, not the cloud providers, regardless of whether your data is internal, hosted locally or hosted international – the same yardstick applies. What this ultimately means is that asking whether the cloud service provider is compliant with PoPI or not does not assist you at all… so don’t!
- Deeper pockets means better security: I have designed, built and worked on multiple cloud environments over the years and the number one thing you could rely on was that as soon as you setup a new public facing project on these environments – they were inevitably probed and scanned for vulnerabilities. Something to consider is that there is no way you (onsite) or your local provider are spending as much as the hyperscale cloud providers at ensuring perimeter security and system integrity. Take Microsoft for example, they have budgeted $1 Billion annually on security, Google has 7 products with 1 billion users each that they protects on a 24x7x365 basis and then we have AWS, the largest retailer on the planet with the biggest IaaS and PaaS footprint. They invest in the best technology, systems and people available.
- Expert skill-sets: Hyperscale cloud providers leverage thousands of security professionals, data scientists, engineers, developers on an ongoing bases to ensure a secure environment. These experts have developed sophisticated algorithms for monitoring environments, aided with the use of Analytics and Machine Learning to identify out of the ordinary behavior.
- Can I sit back and relax then?: No dammit! It’s like getting into your car and not wearing your seat-belt, the safety features need to work in combination to be effective. Having all this technology and skills looking after the cloud environments does not mean that you can sit back and relax. There are several tools and strategies that you will need to adopt for cloud-based workloads that cloud providers or the application vendors recommend for you to ensure your workloads are protected – let me know if you need more information for your specific requirements/provider and I can point you in the right direction.
- Where can I get more info on Cloud Compliance Standards: All the hyperscale cloud providers provide their long lists of independent certifications of security and compliance, it’s just a matter of Googling it. It is more than sufficient for the needs of a bank, a government institutions and yes, your needs too.
I remember a few years ago when everyone was opposed to adopting virtualisation as the questions where just too many comprehend. It’s the same with cloud now, this red-herring opposition to the usage of internationally located cloud providers in terms of security and compliance has become the favorite blocker for cloud adoption for senior decision makers who are opposed to moving with the times. It is a fact that most of the big South African banks have adopted a single or multi-cloud strategy and have gone through the exercise of ensuring that their data is safe in these location. Any other excuses?
Remember, cloud adoption is a journey. You want to modify your workloads from IaaS to PaaS and then to SaaS so you need to adopt a cloud provider that can take you there!
Head of Cloud Services – Siatik