Security concerns for when your company’s head is in the cloud

One of the most significant changes to the modern working landscape is the cloud. Its introduction has changed the working habits of many businesses, allowing services to be delivered anywhere with an internet connection.

Quickly following that is the popularity of public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure, offering the average business access to a whole world that changed their productivity.

Yet among this rush, many forget that for the usefulness and accessibility they bring, the user is still responsible for making sure the right measures are in place to ensure bad actors can’t access their data.

That assumption can crop up regularly, said Ross O’Donovan, information security specialist at Logicalis Ireland.

“People do think they’re automatically inheriting some security just from the fact that the cloud provider may have some certification level through ISO [or another offering],” he said. But the industrial customers don’t realise that the onus is back on you to ensure those controls are still in place.

“It’s still your data or your customer’s data, you have responsibility for it [and] that’s a basic thing.

“Some people do struggle with understanding that motive. They think that by offsetting the perceived risk to a cloud driver, they’re inheriting a lot more security, and are more confident of what they’re doing than they probably [should be].”

Inevitably, O’Donovan said, this problem comes up a lot, where the business believes they’re getting a good deal because the availability and scalability pieces make sense for them, but don’t realise they have to do their due diligence like any other service.

That awareness might not always be there, but on the bright side, there is a growing focus on training and improving this awareness. Security concerns the entire organisation, not just those in IT, and a little bit of savviness can go a long way.

“We see a lot of services where there’s a big focus on the end-user security awareness training programmes,” he said. “They have developers within their organisations who need to think smarter about what they’re getting up to, some people in HR and marketing who would like the consumer service, they signed up to it, but they haven’t told anyone in IT or the security team.

“We see a lot more impetus and focus on that end-user security awareness training to get that message across. You have to stop and think about what you’re doing.”

With regards to the cloud, businesses have been proactive in adopting it and taking advantage of the benefits that it can bring, but one blind spot can be not realising just how many services they use that are cloud-based.

The obvious ones like AWS and Azure may pop into their mind because they’re for storage, but they might not realise that the timekeeping app they use also integrates cloud into their service.

It’s the reason why something like a security by design approach - designing security from the ground up in a product or service - is so important as it’s harder to bolt on fixes on a product or service that has been designed.

“Some are quite surprised with the amount of cloud-based services they’re on, whether they’re SaaS-based services or infrastructure as a service that are consumed within the business,” he said.

“At that stage, you’re at the point where the horse has bolted and you’re back to retrospectively trying to engineer things.”

Of the many services that Logicalis offers, one is a security adoption strategy which looks at whether a company is ready to move services onto the cloud.

It involves auditing a business to see what parts of it can easily be adapted to the cloud, what do they need to move and what kind of legacy systems they have in place.

O’Donovan said that, more often than not, such businesses can see a quick return on investment from non-critical systems, as well as benefiting from the sustainability and availability of the cloud.

Combining within that are the newer technologies that are coming into play, such as automation, something that people are starting to look at more, according to O’Donovan.

Designed with the purpose of dealing with low-risk items, it sees businesses automating their operations-type model and using machine learning to help identify these items. By giving technology the job of dealing with these items, it frees up time for businesses to focus on more important tasks.

“We’re starting to see that mature in the Irish market, and public cloud is starting to facilitate that,” he said.

“That’s stacked back into the integrated security piece. There are challenges in the marketplace with resources and if you can free up your resources to do higher-level projects, rather than chasing, that’s definitely a benefit to businesses.”