How to address cybersecurity when migrating to the cloud

31 May 2021

Image: © alice_photo/Stock.adobe.com

Moxtra’s chief technology officer discusses cloud security and some of the main pitfalls that businesses should avoid.

Click here to view the full Cloud Week series.

Migrating to the cloud is far from a new concept. However, the last year has accelerated digital transformation across virtually every industry, dispersing much of the global workforce and decentralising much of the on-premise infrastructure we had been used to.

This has invigorated discussions around creating proper cloud strategies and solutions. However, it also comes at a time when cyberattacks are on the rise, taking advantage of the systems that were forced to go remote overnight, as well as much larger attacks. Most recently there was the major attacks on a major gas pipeline in the US and the massive cyberattack on Ireland’s Heath Service Executive (HSE).

With the adoption of cloud and the discussion of cybersecurity both reaching new levels, what do businesses need to think about in terms of protecting the information they move into the cloud?

“Businesses assume that every asset can be or should be protected against every possible threat. It is not realistic for businesses to cover every single asset with ultimate security,” said Stanley Huang, co-founder and CTO of cloud-based software company, Moxtra.

“The question that should be asked is ‘what do we want to protect?’ rather than ‘how can we protect everything?’ Companies need to prioritise their most essential assets and determine a strategy to protect them, by defining not only what needs protection, but also what level of protection each asset will need.”

‘You cannot just buy security from a vendor’
– STANLEY HUANG

Huang said when it comes to cloud security, there is often a disconnect between a business recognising security needs and receiving strategic, well-planned security coverage.

“This stems from the issue of many businesses only focusing on the technical aspects when implementing cloud security,” he said.

“For example, what kind of cloud computing service are we using, what is good about it, what is not good, what technology does it use, how well does it work for users? While this is all important to understand, these considerations should come after you determine how security fits into the bigger picture.”

He said that many businesses often bypass the step of scoping a security strategy before implementing cloud technology, but this step is vital when it comes to mitigating risk while migrating to the cloud.

Advice for ensuring good cloud security

Huang suggested that businesses identify or hire a security task force owner internally, who is responsible for defining the security strategy at the company level.

“This person must be a good organiser with a technical background but does not necessarily need to be a security expert. In addition, a third-party consulting service with security expertise can work with the internal organiser to define a specific security strategy for your business,” he said.

“You must be realistic about whether the execution is doable and cost-efficient. Going through this in the early stage and then defining the scope is best for small businesses, as they do not have expertise to do everything. As a business owner, you must understand how your business operates, and then collaborate with the help of other parties to discuss what asset and how secure it is to create an overall map about how your business should use the cloud service.”

A man with glasses wearing a light blue shirt smiles at the camera.

Stanley Huang. Image: Moxtra

Aside from thinking they can protect everything to the highest possible level, Huang said another common mistake companies make is thinking that they can buy company-level cloud computing security from each of their cloud service vendors.

“You cannot just buy security from a vendor. While the vendor can provide the security solution, as a business owner, you need to think differently about how to leverage that solution and make the best decision for your business.”

In practice, this means a cloud vendor can provide a certain security solution such as multifactor authentication, ensuring that the people who are logging in are who they claim to be through various verification methods.

However, it is up to the company itself to ensure that employees who leave no longer have access to these data repositories.

“The vendor has done its job by making sure the employee’s email and password matches and requiring sign-on, but the business owner needs to ensure that employees verify employment status through a centralised system, and that only current employees have access to company data,” he said.

Another misconception Huang warned against is the idea that a businesses can simply leverage a third-party security consultant company to provide them with a secure cloud computing environment.

“As I discussed earlier, a business cannot just purchase a technical solution and expect it to protect its data. Businesses need to define the scope of their security plan and prioritise levels of security. Only after this is done should businesses be investing in third-party consulting and purchasing security solutions.”

Education is key

When it comes to cybersecurity, cloud-based or otherwise, CIOs and CTOs alike cite education of staff as a key component of protecting data.

Time and time again, infosec experts and IT surveys have highlighted human error as a major risk when it comes to cyberattacks. But it’s one thing to simply say workers need to be better educated about cybersecurity and another to suggest how to go about it.

“I believe that collaborating with experts is the most effective way to advance the education of your staff. By splitting up responsibilities and educating people with a different focus based on their role, employees are able to build a whole vision of a security map when they collaborate,” said Huang.

“I believe the most critical part of education is working in collaboration with other parties to determine the target of the desired cloud computing security, and then defining the strategy and executing it properly. This is more of a high-level sort of education, but without this, not much else matters.”

Jenny Darmody is the deputy editor of Silicon Republic

editorial@siliconrepublic.com