Cloud adoption in Ireland has been slow in comparison to other countries. Much of that tardiness was based on security and privacy considerations, particularly in the public sector. However, there has been a perceptible shift in attitudes not only in Ireland but globally in the wake of recent highly publicised cyber events around the world.
Before now, many conversations with organisations were centred on an absolute prohibition on personal identifiable information (PII) being located in the cloud. Recent events have caused a shift in that thinking and a realisation that any data can be stored in the cloud once it is sufficiently protected and secured.
The growing cyber threat
It is difficult for an organisation to fully protect itself against ransomware. The fact is that many of the world’s biggest and most technologically advanced organisations have suffered ransomware events, and this will continue. Once users can access the internet, the organisation is vulnerable. User access to email means they are exposed to threats such as phishing. User training and awareness raising will help but the infiltrator only needs to be successful once. In this light, traditional network security measures are no longer enough for modern purposes. Organisations need to take a proactive approach and continuously monitor everything happening on their systems. Planning and preparing for a breach must be top of organisations’ agendas now. Utilising cloud-hosted services can help greatly in reacting to a breach.
That approach must be based on the principles of Assume Breach and Zero Trust Networks. Assume Breach is a philosophy that underpins security design and practice. All internal and external applications, services, identities and networks are treating as not secure and quite possibly already compromised. “Zero trust networks” is a security concept which holds that you cannot assume that users, systems or services operating from within the security perimeter should be trusted. Instead, anything and everything trying to connect to the system must be verified first. The Security By Design principle on which it is based means that these concepts are already built in to the cloud.
The case for cloud
Cloud-supplied security offerings can provide a cost-effective solution with lower cost of entry. The on-premise service offerings from security vendors come at a very high entry cost, particularly for SME and other smaller organisations. The upfront cost of the equipment and software can be prohibitively expensive. The pay-per -user and pay-as -you-go cloud model opens up full enterprise -level security capability to organisations that were previously priced out of the market.
This is in line with the trend that sees IT spend shifting from capital expenditure to operating expenditure for organisations. Many are moving to a cost-per-user model, which is much more scalable and flexible in the long term while offering an affordable cost in the short term.
The suggestion that any organisation can provide its own security on-premise is fallacious in any event. Most organisations are protected at the edge with solutions that cannot be updated and maintained quick enough to react to new points of weakness and vulnerabilities. Hyperscale cloud providers like Microsoft have military-grade security that most Irish organisations, regardless of size, simply cannot match.
Outsourcing
It is little wonder that more and more organisations are outsourcing their cyber defence to their cloud partners. Those partners are taking responsibility to ensure safety and security, with world-class systems and processes in place to prevent breaches and ensure that when a breach does occur it is a lot less damaging than it would be had it happened on-premise. The Zero Trust model means that the cloud is divided up into small segments. If there is a breach in one it gets blocked off and fixed and no other segments are affected.
Increasing cyber defence has many synergies with software as a service (SaaS) offerings like Microsoft 365. Many of these services protect users from themselves with multiple layers of scanning and anti-phishing mechanisms. Organisations are moving for the functionality and collaborative services, but they are moving up the security stack at the same time.
Another advantage of the cloud is the access it provides to continuous monitoring and logs. Organisations can easily track exactly what has happened on the platform should there be a breach or just for standard tracking of changes in “Business as Usual” mode. This can be very difficult to configure and set up correctly on-premise.
On-premise systems can require a lot of changes at the back end for even simple service modifications. IT departments can be cautious by nature and reluctant to change anything for fear of breaking it. This has led to a substantial amount of technical debt and legacy on-premise security footprints. In a world where everything needs change quickly and continuously, cloud and SaaS services come into their own.
Scalability
Setting up and configuring new services in the cloud can happen at pace compared to on-premise systems, in a matter of days instead of weeks and months. Indeed, one of the great advantages of the cloud is its flexibility and scalability. This came to the fore during the rapid shift to home and remote working last year.
An example of that scalability is the deployment of multifactor authentication (MFA). 99.9% of successful attacks are against people without MFA. One simple action you can take to prevent 99.9 percent of attacks on your accounts (microsoft.com) MFA means if someone gets your password, and they will at some point, they need to get another piece of information to be able to authenticate with it. MFA is a very quick win when it comes to cybersecurity and the cloud makes it much easier to deploy and scale.
People, processes and technology
It also needs to be understood that the cloud is just part of larger security picture which involves people, process, and technology. Technology alone will not solve the security issue. Organisations also need to change their processes and address people issues. Staff and resourcing policies that reward people for embracing change are required. While zero trust is required on the system, a zero-blame culture must prevail in the organisation. Everyone makes mistakes and must be encouraged to report them. In a blame culture, mistakes get covered up leading to further problems down the line. No security architecture can survive a blame culture.
Finally, moving to the cloud is a journey which takes most organisation 18 months to 2 years before they are operating effectively. Organisations need assistance from trusted vendors with the experience and expertise to bring them on this journey in safe, secure and timely manner.