Seven critical success factors for a safe and compliant “Cloud First” strategy

The Cyber Security Council (CSR) has been alerting the Netherlands to its digital vulnerability for many years. As already became clear from our Security Awareness investigation, the most basic security measures are often not taken. In respect of external threats, organisations increasingly aim their IT strategy at “online” environments. Which is fortunate, as the technologies used by people and countries that are up to no good will only become more and more advanced.

"Consider the fact that each security-related architectural choice also comes at a cost."

Stefan van den Brink

Cloud Consultant

And yet, when planning to move to the Public Cloud, organisations often first check whether an environment or application can run in the Public Cloud (does it work?) to only then investigate the information security aspect. This, while security and compliance should form the foundation for the applications to be built and the data to be controlled. After all, it will be far more difficult and costly to introduce security into your application stack and Cloud infrastructure through “reverse engineering”. Let alone the consequences and costs associated with a data breach. Hence, the following seven points of attention to take into consideration when improving your Cloud landscape’s security and compliance.

1) Responsibility

The services of Cloud Service Providers are, in fact, safe and are tested by external parties on a regular basis. The audit reports are accessible to all and offer you security up to the level to which the Cloud Service Provider (CSP) is responsible. However, the resources and data that you, as an organisation, contribute are, and will remain, your responsibility in accordance with the shared responsibility model. Ensure, therefore, that it is clear to you per service as to what CSP does and what you have to do yourself.

2) Divide and conquer

Breaking up monolithic applications into so-called microservices facilitates the intermediate improvement of a service and lessens the impact if the application is not available. This architectural concept can also be applied to security within the Public Cloud. Are you going to put all the data at a location with an access policy to all, or will you opt for a granular setup? Will you apply a minimal access policy to each file or folder? Consider this well in advance in order to substantially limit the impact of an unexpected data breach. The fact that each security-related architectural choice also comes at a cost is something to consider as well.

3) Compliance

As compliance is content dependent, each type of application or branch, for example, will have to meet different requirements. In this regard, be sure to list the compliance requirements that apply to your organisation, check which CSP services you wish to use to achieve your objectives and compare the one with the other.

4) Automation

Make a deliberate choice and opt for the full automation of security and compliance and include this in your “Cloud First” strategy. “Infra as code” offers significant advantages, such as cost savings, reduced error-proneness and a higher level of security and compliance. It will become easier, faster and therefore cheaper to go through audits and it will enable a faster and testable change and configuration management.

5) Security Guidelines

Cloud Service Providers offer a wide range of security services that will unburden you where information security is concerned. This is by no means a static whole; developments rapidly succeed each other and best practices are updated on a regular basis. Ensure that you continuously keep abreast of this knowledge which brings us to the following point: training.

"It is essential to ensure a continuous investment in knowledge and expertise."

Stefan van den Brink

Cloud Consultant

6) Training

Security and compliance are specialities that, when insufficiently controlled, can have a negative impact on the quality of information security and long-term costs. It demands the required technical knowledge and experience to make the choice that best suits the objectives of your organisation time and time again. Keeping the knowledge up to date is therefore essential. Not only from a security or compliance perspective but also from a cost perspective: every innovation could result in saving money or reveal that the previously chosen approach and tools could instantly make matters considerably more expensive. It is essential here to ensure a continuous investment in this knowledge and expertise.

7) Security Awareness

In addition to the more technical knowledge and experience to ensure a good design and smooth implementation, there are the employees or clients that use the systems. Each organisation will benefit from employees who know how to work safely in the Public Cloud, who are aware of the risks and who know how to act if something still goes wrong unexpectedly. This is why you should invest in the education of your employees by, for example, conducting so-called phishing tests and exploring effective and accessible training modules that can be adapted to the needs of your organisation.

As safe as the strictest client

Maintaining a high level of expertise as well as keeping up with the fast developments make information security a complex affair for many organisations. If this is the case, it may appear more interesting to outsource this to a reliable and experienced partner instead of setting it all up and innovating in-house. A Managed Service Provider (MSP), with security as its key task, will accumulate many years of experience and will continue to learn and renew. The big added advantage here is that the portfolio of various MSP clients can enable the organisation to hitch a ride on the best practices: an MSP is as safe as its strictest client.