Celerity Security Panel – 02/20
DAVID TAYLOR [00:00:21] Hello and welcome to security panel brought to you by Celerity. My name is David Taylor. And today we’re gonna be talking about Cloud security. I’m lucky today to have another Celerity man, Mr. Ed Yates, who is our Cloud technical architect. Welcome Ed.
EDWARD YATES [00:00:34] Hi, hi. Thanks, David. Yeah. My name’s Eddie Yates. I’ve been with Celerity for a while. I am in a technical architect. Secifically focussed around a multi-cloud, hybrid cloud-cloud in general. And before we get into the show, I just thought it’d be worth giving you my kind of definition or view on what cloud is it’s got different meanings to different people, right? So to me, it’s not a place. It’s not a thing. It’s not a technology. It’s a consumption model. It’s a way of delivering I.T. and consuming I.T. Hopefully we’ll get a bit of a feel for that, as we discuss it today. And that is a lot of why plaque businesses and customers are looking into cloud.
DAVID TAYLOR [00:01:16] Great, thanks. So cloud gets thrown around a lot, especially with everyone talking about digital transformation. But tell me a bit about why cloud now is such an integral part of a company’s I.T. strategy.
EDWARD YATES [00:01:27] Absolutely. It’s a new way of doing things. So I think a lot of businesses, companies do when I look into it. Understand what it can offer. There’s the less interesting element of what it can offer, which, you know, maybe the cost areas there. There may be cost savings that they want to gain from it. They might want to free up resources. People might want to do new things, explore new technologies. And the cloud will when will enable the guys to do that. So every business, I think, should be considering cloud whether it’s for them. They’ll find out during the journey.
DAVID TAYLOR [00:02:04] Great. Is cloud the right fit for every company?
EDWARD YATES [00:02:08] So I think areas of the Cloud are a right fit for pretty much every company. There’s hundreds of services out there that the cloud can deliver. Some companies might find a lot of those services fit their business model. Other companies might find that cloud can just deliver a small subset of that. It depends on what their drivers are for looking at the cloud or go into the cloud. What kind of data sets they have, what their business does, how their team is currently positioned, where they are in their lifecycle. New businesses might have more reason to adopt a cloud than established businesses that already have a lot of I.T. skills in-house. But absolutely everybody should consider the cloud before deciding whether it’s the right way to go.
DAVID TAYLOR [00:02:52] Great. So everyone is considering it and what are the business benefits that cloud can bring to companies?
EDWARD YATES [00:02:58] There’s a lot of benefits that cloud can bring to companies. Not all those benefits will apply to all companies. A few of the key ones that I talk about that I see out there. Agility is a key one. So the ability to very quickly deploy new systems or consume I.T. resources, whether that’s in the development, dev ops, testing, things like that, whether it’s to take advantage of new technologies, it’s very quick to log in, get it operating within minutes rather than having to go through traditional procurement cycles of delivery’s and configurations, things that can take weeks, sometimes months. There’s the best ability of the cloud, it’s elastic nature. You don’t have to buy everything you might need upfront to deal with those peaks that you might have over the year. You can use as little of it as you need to. But it will scale to use as much of it as you need to during those busy periods. And it can do that dynamically. It might even do that itself with auto-scaling. So that elastic burst ability is key. We spoke a little bit about the costs, but customer is looking at a more OpEx type model rather than a CapEx model. Having that kind of pay as you go or on-demand consumption and associated costs can fit that business. If they’re looking for cost savings, so closing data centres, reducing their I.T. staff footprint, you know, there the benefits. But there’s other elements as well. There’s bringing new services that would otherwise be out of their reach. So whether that’s things like same for security or business intelligence or artificial intelligence, they might have the budgets to buy that upfront. But it’s something they can very quickly try in the cloud and either say it’s got value or decide it’s not for them. Fail fast, get out the way and you know, there’ll be no further costs. And self-service. You’re not necessarily reliant on the I.T. team to deliver everything. If it’s in the cloud, departmentally managers could potentially go in and provision systems themselves without even having I.T. expertise because it’s all done through a nice self-service managed portal. And it depends where the cloud is. When we talk about cloud, a lot of people might just consider the public cloud. And perhaps that’s where my focus is today. There’s a lot of public… Private clouds out there as well. Complete like clarity where private cloud, where, you know, we can potentially offer a lot of the same things as a big public cloud providers. But we can deliberate perhaps in a more bespoke way. We can also be a little bit flexible in how we do that. And also, even if you’ve got hardware and traditional infrastructure on-premise, your own kits, that can still be an on-premise cloud. You may use it the same way as you do today, or you might tweak it a little bit. So the way you go about delivering I.T. from it changes, but ultimately it’s still in house and a lot of people have a mix of all that. So, you know, hybrid cloud model is very common. Keeping a bit on-premise, using a bit in, you know, out there in the public cloud and how that balances. Very much depends on what you want from the cloud and where your business is at present.
DAVID TAYLOR [00:06:12] So it seems that’s quite a lot of benefits moving to the cloud.
EDWARD YATES [00:06:14] Absolutely.
DAVID TAYLOR [00:06:15] But are there any disadvantages?
EDWARD YATES [00:06:17] That can be. There’s certainly things to consider, challenges to get over. I would say cybersecurity is an obvious one. A lot of people are nervous about moving things into the cloud. I think that the larger cloud providers have realised that over recent years and put a lot of things into their cloud service offerings to mitigate that. So things like denial of service attacks or the malicious attacks like ransomware, where there’s a lot of services out there to protect clients from there. But if you do have your data or your applications running and in one of these big cloud providers, arguably they’re a bigger target for the cybercriminals out there. So people do have that in mind and that might be, you know, might be seen as a disadvantage. Then there’s around data breaches. What if your data is ultimately accessed and leaked out? How is that data protected? So is our data encrypted? Are you going to get visibility into when you’ve had a data breach? There’s also an element of trust in the cloud. You’re no longer. Got hands-on with the equipment. You’ve got other people potentially running it. So do you trust them, especially if you go into the private cloud providers rather than the likes of Amazon “native US”? There’s a trust that has to be established, I think, prior to going into that. But, yeah, there are challenges to be aware of. But with planning and prep, you can mitigate these, overcome them and actually find the cloud is a great place to be good.
DAVID TAYLOR [00:07:49] I can fix them. So what kind of workloads are you typically seeing businesses use when they go into the cloud?
EDWARD YATES [00:07:56] Oh, there’s such a broad spectrum of things people move into the cloud. For me, there’s just some easy access points for the cloud that customers are happy to look at. I mean, some of the challenges with the cloud can be internal opposition to moving to the cloud. If you’re taking work, load off of I.T. guys and put it in the cloud, they might feel that you’re reducing their important importance within the business. So things like disaster recovery, that can be a headache for everyone in the business, including the I.T. team. They tend to be quite keen on the idea of using the cloud for disaster recovery. So while I have a second data centre, when you can just replicate your data into the cloud and let people manage that. There’s other areas that we see a lot of traction with using cloud storage to complement your on-premise backup is a common one. So people have loads of data and a lot of businesses have to keep this data for a long time. We might be compliant health records. They might be legal documentation. It has to be there. For many years. Sometimes forever. And the amount of data is immense. And therefore, the amount of storage you need is immense. But using cloud-based object storage so that you don’t have that on-premise. Fit, yet it doesn’t take anything away from what you’re really doing. So it does complement what you’ve got rather than take over. And also the services available from cloud that can complement what’s already there. So you’re not moving anything you’ve got into the cloud. You’re just using cloud services to add to what you’ve got. So things like analytics, business intelligence, artificial intelligence, plugging the cloud into your on-premise infrastructure can help you expand what you’re delivering without actually taking anything away from what you’ve already got.
DAVID TAYLOR [00:09:43] Okay, that’s great. So, for example, say I’m a company and I’m looking to move to the cloud. What type of things I should be looking at taking of thing into consideration even?
EDWARD YATES [00:09:53] Yeah, there are absolutely. There’s a few key things to consider. I think one of the key things for me is, I suppose, a shared responsibility model. So it’s understanding what the cloud providers are responsible for and what you as a client are responsible for. You hear things especially around security, saying that the cloud providers are responsible for the security of the cloud. So, you know, access to the data centres and all that kind of good stuff, what the client is responsible for security in the cloud. So you’ve got to make sure you’ve got the right security services in place. You’ve got your data encrypted, you’ve got your access monitored and managed properly, and you’ve got visibility into what’s going on. So a key thing is to not assume that just because it’s in the cloud, the cloud providers are doing everything that needs to be done. They will offer services to do it. But you need to be aware of that and make sure it’s appropriately configured. So you are getting the best out of your cloud provider.
DAVID TAYLOR [00:10:50] Great. Now, what kind of security challenges does cloud create? Once you’ve talked about on-premise and in hybrid book, moving in the cloud. What kind of security challenges does it create?
EDWARD YATES [00:11:01] There’s a few. There’s a few things to be aware of, really. This is access is key thing. And one of the advantages of cloud is access anywhere. But that doesn’t mean you on anybody and everybody to be able to get to your applications, your data. So having the right level of access control, the right level of authentication, such as multifactor authentication to make sure the right people are accessing it and that the people that you think are accessing, they are in fact, the people they say. Making sure your data is protected and working with, I suppose, a logic of least privilege. So only gave people the minimum access rights that they need. So that should somebody getting malicious entry into your environment. And he compromised accounts limited in the damage that they can do. And also make sure you’ve got the services enabled that can audit what’s going on. So you can very easily see what’s happening. Who did it? When did it happen? And also that you’re getting alerted when there’s when these things are happening. I think if you’ve got that visibility in that control, you can very much enhance security and mitigate a lot of the risk that people associate with moving to the cloud.
DAVID TAYLOR [00:12:10] Perfect, now, the cloud a lot of people isn’t tangible to them because it’s within their sky. Do you feel that sometimes they’re missing certain things like vulnerabilities? They assume they’re being looked after?
EDWARD YATES [00:12:22] Yeah, that’s. That’s that’s. True. So I think people do assume that it’s in the cloud. Everything is protected. So an example of that might be spun up a virtual machine in the cloud. That’s great. It’s bound to be protected from a data centre failure or a server or a hardware failure. Because, you know, the cloud provider looks after that or is bound to be backed up because, you know, cause you got a backup your data. The cloud provider is bound to be doing that or security is so important. So I’m sure there’s gonna be a firewall in place and everything’s protected and that’s not the case. So absolutely all the cloud providers will recommend you do this. They will be best practises out there that you should read and follow. To put these extra services and security in place. So make sure you are backing up your data. Make sure that you’ve got the right level of availability for your data. You’ve got your virtual service being replicated across data centres that the cloud provider has. That’s not necessarily the case with all cloud services. So as you move to a more platform of the service or software as a service model, inherently within that service, some of that will be taken care of. But if you’re just using the more infrastructure service type solutions and things like that, you have to piece it together modularly to make sure that you’ve got it right. If you miss things out, then you are potentially exposing yourself. So getting it right is key for sure.
DAVID TAYLOR [00:13:43] And is there any sort of security laws related to cloud. If anyone is looking to move there?
EDWARD YATES [00:13:49] Security laws? I’m not too sure about security laws. I think a key thing is kind of understanding data sovereignty and data governance. So especially the larger cloud providers will have data centres distributed around the world, you know, different countries, different continents. So your data will therefore reside in those different geographies and the regulations within that country will apply to that cloud provider and therefore your data. So being aware of where your data resides, data residency and what those local laws are is important. You know, you may be that you’re not happy with it being in certain countries. So just make sure that you have it configured in a way so it only is only resident in countries you’re happy with, whether that’s your local country or, you know, different ones. Does it matter? Just be aware of the different sovereignty laws around data and data access. And another thing as well to be aware of is, is what access does the cloud provider have to your data? So, you know, you want to understand what levels of security they have. What ISO accreditation is they may have. From the terms and conditions, what access are you giving them to your data? Are they going to share any of your data anywhere else? Just be aware of it before kind of committing to it.
DAVID TAYLOR [00:15:04] Thanks. And so everyone knows data is important to organisations and some organisations, such as hospitals and law firms, might have information that day is a bit more sensitive. So how risky is it to put a sense of data into the cloud?
EDWARD YATES [00:15:18] I don’t think it’s risky. I just think you have to be aware of what you need to do to to mitigate that risk. So data encryption is a key one. That way, if your data does get out, it’s illegible to anybody who has stolen it. I think access to that data. So from how you connect to that data, to how you have your firewalls configured, to how you manage people who do access that data and how you also monitor that data as well. So how do you get visibility into who’s doing what and when sensitive data is accessed is key. But I think if it’s done right and it stood in the right way and you’ve perhaps done your homework upfront and looked into what needs to be done, then having sensitive data in the cloud is certainly no more of a disadvantage and having it on “premise”.
DAVID TAYLOR [00:16:10] Okay. And on that train of thought, how secure is cloud infrastructure as a whole?
EDWARD YATES [00:16:16] So I think cloud is as secure as you make it. It’s certainly capable of being as secure as on-premise. But you need to be aware of what you’re doing. So control access to it. Give people a minimal amount of privilege they need within the cloud. Make sure you’ve got things like VPN connectivity rather than web fazing access. Make sure you’ve got your data encrypted. Make sure that also your data is protected, backed up, distributed in different data centres, even different countries. But if you do it right and then your data is going to be very secure and the cloud is going to be very secure.
DAVID TAYLOR [00:16:58] Well, I think you just mentioned on-premise, how does on-premise compare to cloud in terms of security?
EDWARD YATES [00:17:04] I would say that ultimately you’re running the same kind of things. You’re running the same applications, you’ve got the same data set as you would have on-premise. You just run it in someone else’s data centre. So arguably, it can be just as secure if you do the same kind of stuff in the cloud as you would do when it’s on-premise that your data is going to be just as secure. There’s advantages to it being in the cloud. So you’ve no local access to it. You can’t have, I suppose, disgruntled staff, workers, staff going into the I.T. room and taking the data out. Physical access to the systems. So you’ve perhaps got higher level of protection in that way. But ultimately, perhaps your data is more exposed because you’ve got it. You’ve got it in the cloud. It’s available via, you know, via the Internet. And if you’re not protecting it, then it’s more likely to get attacked than if it was just isolated in your on-premise environment. But I’d say it’s certainly secure, if not more secure because cloud providers do tend to have more security focussed services available to you than perhaps your own on-premise I.T. staff can deliver.
DAVID TAYLOR [00:18:07] That’s good to know. So just to close us out here. And do you have any closing advice to the viewers at home? Who are maybe looking to move to the cloud or to secure their existing cloud infrastructure?
EDWARD YATES [00:18:17] I do. You want to do your homework first. So look into it a lot. You want to make sure that cloud is going to be right for you. Make sure that your applications are going to work in the cloud as you expect. Be aware of some challenges you might have when it’s in the cloud. Reliable connectivity. The latency between cloud applications and components of the application that might still run on-premise. Make sure your security is paramount. So look into access. You know, taking a leaf privilege approach, using multifactor authentication. But if it’s done right and you do a lot of planning and perhaps with partners there to help you understand the challenges and help you get over the complexity of migrate into the cloud. Then you transition to the cloud can be a great success and hopefully, it will actually exceed your expectations.
DAVID TAYLOR [00:19:07] Fantastic. Well, thanks for your time today. You’ve been watching Security Panel brought you by Celebrity. And I’m David Taylor, I will catch you next time.