So, you are thinking about migrating to the cloud, migrating applications to cloud or migrating data to cloud – or even downsizing your data center and putting some or all your infrastructure there.
But you have one big concern: security.
In this article
The Big Cloud Security Questions
Can you really trust a provider of cloud services to exercise the same level of care and protection that you would? Will the advantages of migrating to cloud outweigh the risks of migrating to cloud?
The short answers to both questions are: yes, you can trust the right cloud provider and yes, the advantages can and should outweigh the risks.
What has been happening in the cloud market is a bit like what has taken place in the automobile industry. Like car makers that use safety as a selling feature, cloud providers now regularly tout their security investments to get more enterprises to pursue cloud migration strategies. And just as in cars, where safety features that were once only found in luxury auto brands (think anti-lock brakes and blind spot control) have made their way into more affordable models, the same thing is happening in the cloud with things like identity control and encryption.
Microsoft Azure invests some $1 billion annually in security measures according to Ann Johnson, a vice president in Microsoft’s enterprise cybersecurity group. As a result, Johnson argues, the cloud has democratized cybersecurity, giving both the well-heeled and the resource-constrained access to the same powerful security tools.
Does that mean you are 100% safe in the cloud? Of course not. Microsoft Azure and other leading providers of cloud services—including Amazon Web Services-have all experienced unplanned outages. And the growing concentration of IT services in a smaller number of providers is itself a risk that didn’t exist previously.
According to “Cloud Down,” an in-depth report prepared by Lloyd’s of London and catastrophic risk modeler, AIR Worldwide, a cyber incident that takes a top-three cloud provider offline in the US for 3-6 days would result in losses of nearly $18 billion. Only a fraction of this loss is covered by insurance.
But on a micro, individual-enterprise level, there is a growing body of data and expert opinion to argue that migrating to the cloud is a safer bet than staying put in your own data center.
More Investment in Public Cloud
For starters, in every industry today—including highly regulated, compliance-oriented sectors such as healthcare, law and government—companies are voting with their budget allocation and are migrating to the cloud. And, specifically, the public cloud.
In the past, largely because of security worries, these companies might have implemented cloud computing strategies that maximized their own control, e.g., hybrid cloud or private cloud strategies; or limiting themselves just to cloud storage or cloud backup.
Now those older, limited, security-driven cloud migration strategies are giving way to a full embrace of public cloud options, including migrating legacy applications to the cloud.
According to the 2018 Rightscale State of the Cloud Report—widely considered the largest and most authoritative survey of its kind on cloud trends—there has been a surge of interest in public cloud platforms with the percentage of enterprises ranking the public cloud as their top priority growing from 29 percent in 2017 to 38 percent in 2018.
Expertise on Cloud Security
According to the same Rightscale survey, the people who know best—IT professionals—now have greater faith in the cloud than ever before. Rightscale found that “among enterprise central IT teams, who typically have the most responsibility for security, there has been a significant decline in security concerns among this group over the last few years.”
Gartner is among the named IT experts arguing for the relative safety of the cloud. According to Gartner, through 2020, organizations that are running workloads in the public cloud (i.e., migrating applications to Azure cloud) will see at least 60% fewer security incidents than those in traditional data centers. “CIOs need to ensure their security teams are not holding back cloud initiatives with unsubstantiated cloud security worries,” says Jay Heiser, research vice president at Gartner. “Exaggerated fears can result in lost opportunity and inappropriate spending.”
The software and cloud-services provider Oracle flatly says that when you make an apples-to-apples comparison of security in a traditional, enterprise-operated data center vs. security in the cloud, the cloud consistently comes out on top. According to Oracle, inconsistent patching and insufficient encryption in traditional data centers create needless risks. Cloud providers with comprehensive security management—including the ability to autonomously detect and fix vulnerabilities, encrypt data, and conduct regular patches throughout the stack—are far more reliable.
Cloud Migration Checklist
So, users are voting with their investments. Analysts are voting with their expert opinions. As you pursue a migrating-to-the-cloud-strategy, what should be on your cloud migration checklist? Here are a few key considerations:
Understand Your Shared Responsibility: Just because you have made the decision in favor of migrating to the cloud doesn’t mean that you have offloaded all your risk to the cloud services provider. Most cloud providers operate under the “shared responsibility” approach, meaning that both the provider and the customer are responsible for security. You are likely responsible for the data that is being stored outside your business, which in the event of a breach makes you the most liable for any third-party damages or compliance penalties.
Access Controls: While your data and applications may be under the control of a cloud provider, you control the user access. And this is your most significant point of vulnerability. Through 2022, according to Gartner, at least 95% of cloud security failures will be the customer’s fault. IT should look to the “principle of least privilege” by configuring read and write permissions so they are granted only to those who need them. Enforce multi-factor authentication to help ensure people are who they say they are.
A Holistic Management View: A provider of cloud infrastructure services is responsible for reliable, efficient and secure performance of the hardware, but you are ultimately responsible for making sure your guest operating systems are fully patched and compliant with security baselines. Experts advise using a single management platform to get a holistic view of security across all environments. Microsoft Azure, for example, provides management tools for looking across all cloud and on-premises systems. Also, consider turning off virtual machines no longer in use, thereby preventing an attacker from getting inside an under-monitored cloud VM and then moving around inside the cloud infrastructure to plunder more lucrative targets. Doing this can also cut down on unneeded costs.
Other key suggestions when evaluating cloud providers include:
- Make sure the provider has redundant systems for HVAC, power and network connectivity. If they do not, that’s a red flag.
- The same goes for getting regular third-party audits, vulnerability assessments and penetration tests. If they are not there, consider moving on.
- Does the provider automate as much as possible, using dashboards and remote command tools to monitor their infrastructures? Greater use of automation is the key to avoiding unforced errors.
- Finally, does the provider encrypt all sensitive data—at rest and in motion—and securely manage and store all the encryption keys? According to Gemalto, a provider of identity authentication and data protection technologies, encryption is moving from a “best practice” and becoming a business necessity. According to Gemalto’s Data Breach Indicator, in 2017, only 3.1% of breaches took place where encryption was used, accounting for 1% of the 2.6 billion records stolen.
Cloud security at Templafy
Templafy is a cloud-based SaaS solution hosted on Microsoft’s Azure cloud and we constantly look at emerging best practices to keep our own security ahead of the curve:
- We ensure our solutions are rigorously tested both by internal and external sources. We have an external company do penetration testing on our solution every 6 months, or every time we make changes to our security setup.
- Data are stored in Azure SQL database and files are stored in Azure Blob storage. Both types of storage are considered highly secure and reliable (e.g., all data is replicated and saved on multiple storage units and all data is encrypted at rest).
- The Microsoft Azure backend ensures that no other Microsoft Azure tenant can access our data.
- There are isolated data containers for each customer/client that Templafy specifically developed to ensure that different Templafy customers cannot access each other’s data.
- A role-based access control system ensures that a user can only see data for the tenant for which the user is signed on. The role-based system ensures that a user can only perform tasks in the system to which the user has been assigned privileges.
We welcome you to get in touch with us if you would like to learn more about Templafy’s secure, cloud-based document creation and template management solution: