Transitioning to cloud-based infrastructure marks a fundamental change for any business. What are the implications on information security? Is cloud infrastructure more secure than its conventional counterpart with on‑site servers that are built and managed by company personnel?
“Security is about processes, not just technologies,” says Dominique Derrier, Chief Information Security Officer at NOVIPRO. “And no matter what approach you choose, you need to implement best practices.” Cloud computing can make it easier for companies to balance risk and protective measures.
Unwarranted fears
Business leaders and IT managers are wary of cloud solutions, believing that they’re less secure. “People are naturally afraid of what they can’t see,” explains Derrier. “Especially since the 2013 Snowden affair, when a US National Security Agency consultant stole secret documents explaining how cloud access points work.”
Business decision-makers worry that if servers are kept on sites that aren’t their own, they’ll be more vulnerable to espionage attempts. This has prompted cloud service providers to double down on eliminating this risk. Paradoxically, some specialists believe that cloud solutions are more secure, not to mention the fact that they allow companies to focus on their core business and continuous improvement.
But partnering with a cloud provider doesn’t let your company off the hook. “With the cloud, security is a shared responsibility,” emphasizes NOVIPRO’S CISO. “Ultimately, you’re responsible for protecting the data you collect, no matter where the service is located.”
Proven security protocols
Cloud computing makes it easier to adopt basic security best practices, both at the time of implementation and going forward. That’s because all the right tools are available. Beyond that, Derrier explains that you essentially have three possible courses of action. “You can cross your fingers and hope for the best, you can try to do everything on your own, or you can partner with an external firm to manage the infrastructure so that your team can focus on data protection.”
In many cases, however, the second choice is hardly more viable than the first. Some of 2020’s worst security breaches capitalized on poorly configured cloud environments with vulnerabilities that the companies didn’t fully understand. A cloud computing best practice is to treat IT as a service and automate the deployment of new versions in a way that’s transparent for users and minimizes the risk of human error in the configuration.
Cloud computing allows for native application monitoring in client environments and mutation detection in production environments. That said, all parties have to remain vigilant. “If the president’s password is just eight characters long, hackers will have no problem accessing her emails,” explains Derrier. “That’s why you need to implement every possible protection, regardless of the platform on which the data is hosted.”
Balancing security and costs
There are many factors to consider in order to strike the right balance with security. For example, it can be hard to predict how transitioning to the cloud will affect your operating costs. “If you just swap a local server for an outsourced server, cloud computing will cost you more,” Derrier admits.
But the added flexibility it provides can offset that cost. Cloud services are often billed on a pay-per-use basis, allowing businesses to increase or reduce capacity quickly and as needed. You can even cut it altogether if an unforeseen event—like a pandemic—disrupts the economy. But most importantly, outsourcing your infrastructure gives you access to expensive and hard-to-find expertise. “If you do business with a cloud provider, you don’t have to pay for related certifications. The supplier will divide the cost among their thousands of clients,” says Derrier.
Data sovereignty
Data sovereignty is another thorny issue, especially for companies looking to expand into jurisdictions that require access to personal data for political or national security purposes. Derrier confirms that it’s complicated. “The biggest suppliers are Chinese and American. But if you want to do business in China or Russia, you have to use local suppliers. Also, should Canadian government data be stored in the US?”
Ultimately, you need to accept the risks associated with your data storage decisions on proximity to users and location. If the data can’t leave the country, you’ll need to find an alternate solution.
However, Derrier believes the chances of being trapped within a cloud provider’s ecosystem are overestimated. “The change isn’t neutral, but most barriers are design issues, not technology ones.” Most vendors offer similar features. While not identical, they’re relatively interoperable, which makes transitions easier. He concludes by pointing out: “If you develop an application that’s too vendor-specific and doesn't meet accepted standards, you obviously won’t get as much flexibility.”