Cyber security was the reason not to adopt cloud. But the opposite is true now, says Tony Velleca, CIO at UST Global
Cloud computing was by all accounts inevitable – we can see its steady adoption all around us.
According to Goldman Sachs spending on cloud computing infrastructure and platforms will grow at a 30 perecnt CAGR from 2013 to 2018, compared with overall enterprise IT’s five percent. It forecasts global security-as-a-service revenue will reach $106bn in 2016, growing 21 percent over 2015.
Disruption to business
Earlier this year CEO of British insurance company, Lloyd’s said that cyber-attacks cost businesses as much as $400bn a year, including the damage caused by the attack and consequent disruption to the normal course of business.
CIOs and their Infrastructure Management teams have historically been concerned about security in the cloud. Lack of trust, relative lack of control, fear of not knowing where the data resides, and complex regulations in different countries have only made this more difficult.
With the recent explosion of cyber-attacks, many have rightly noticed that their cloud environments were not breached during the attack. In fact, the attributes of cloud computing including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) are aligned with best practices in cyber security.
There are three recent cyber security trends that make cloud computing more relevant:
1. Network Segmentation and Lateral Movement
2. Data Protection
3. Intelligence Talent
The cyber-attacks that are putting major corporations such as Sony Pictures and JP Morgan in the news are advanced persistent threats with a motive to steal valuable data, cause major disruption and damage systems. In these cyber-attacks, the hackers patiently seek access to corporate systems then move laterally within the corporate network.
As a result, companies are segmenting their internal networks to make it difficult to move laterally. This is much more complex than it seems since major systems need to communicate with each other.
Cloud solutions, particularly SaaS, have solved this problem by creating a set of secure web services to isolate these communications. Cloud solutions are isolated across the Wide Area Network (WAN) and therefore are secured with their own firewall, intrusion prevention and monitoring.
Since data theft or destruction of data are the common targets of hackers, the innovations in cloud computing uniquely provide data protection, both at rest and in transit.
First, physical access of data is completely obscured. With major cloud providers, there is no way to point to a physical server where the data is stored. Data is stored across multiple devices using advanced algorithms that provide scalability and protection.
Second, solutions are available to encrypt this data at rest using a key unknown to the cloud provider. One of the best practices for cyber security is to segment data so any breach is isolated to a segment of the information that may be useless without the entire set. These encryption solutions were setup to provide regulatory protection in the cloud but obviously provide an important piece of the data security.
Finally, since cloud systems are external, data in transit is typically encrypted, managed across a VPN or most recently, offered as direct connection by major telecom companies. Many internal systems assume that the network is secure and therefore do not protect data in transit inside the network. Although it is not difficult to accomplish, technically, it was not considered necessary. This mindset is changing.
Cyber security is of major importance to cloud computing companies. One major breach and their business model is at risk. For this reason, most major cloud computing companies are hiring top talent from intelligence organizations like the NSA, CIA or FBI.
Today, there is a talent gap in Cyber Security. International Information System Security Certification Consortium Inc. (ISC)2, a global provider of education and certification services for information security professionals, predicts that the global security hiring shortfall will reach 1.5 million in five years (cioinsight.com post). This makes it nearly impossible for major corporations (with the possible exception of large financial institutions) to attract the experienced talent required to protect against the advanced persistent threat.
These insights are based on conversations with CIOs and CISOs of some of the major companies breached in the last three years. Many have noticed that their cloud systems were not impacted during the breach. Strangely enough, where security was the first objection cited when considering cloud computing, it may now be the primary reason why many consider cloud computing.
How much do you know about data breaches? Take our quiz!