Insights
INSIGHTS
All Topics
Things to Consider Before Adopting Cloud Technology
22 Jul 2020by Cub Llewelyn Davies
Experts from the NCSC provide a new way of approaching the decision to move towards cloud-based technology
One of the questions we’ve most frequently been asked in recent months is whether or not cloud-based technology is secure. As more and more charities move to cloud-based solutions, this question becomes more pressing. But is it the right question?
If you are considering moving your charity over to using cloud-based IT solutions, the big security concern is not whether the cloud itself is secure, but rather ensuring that it will be used securely within your charity.
Buy or Hire?
It can be helpful to think about the ongoing “in-house IT versus cloud IT” debate in terms of ‘buying cars versus hiring cars’. Here’s why:
- We use both types of car for broadly similar reasons: going from A to B
- We personalise our own cars. We sometimes customise them too. We may name them. We change them reluctantly. We pay a high upfront cost and then pay for regular maintenance
- We choose hire cars based on broad categories (for example, how much space they provide, and whether they’re manual or automatic). The car that we’re given is a commodity, from a pool of similar vehicles, and the hire car company maintains it for us. If our requirements change, we get a new one from the car hire company. We pay while we have access to the hire car, but not when we don’t need it and it’s been returned to the company
- With both private and hire cars, we’re responsible for parking safely and locking the doors
No analogy is perfect, but the key to thinking about the cloud is that it is rentable computing power. Being rentable, the cloud comes with restrictions, but it allows easy scaling to suit demand, and much of the computer support is outsourced to the cloud provider.
As with the need to lock a hire car and look after the keys, we need to secure our code and data in the cloud. The commodity computing aspect can be turned into an advantage with the right security model.
Related Articles
Due diligence
To return to the analogy, do you trust the hire car company? To get the hire car, you need to pass over a lot of personal information, including driving license details. You then rely on the company to control access to its copy of the car key, and trust that the car is mechanically sound and hasn’t been stolen.
So, it is very sensible to research a cloud provider’s background and security. If, after this ’due diligence’, you can’t trust them to handle your data, don’t use them. Depending on the nature of your data and your risk appetite, this may be a reasonable decision, provided it is evidence-based and rational.
This research will also show how this cloud provider divides security responsibilities between the customer and themselves (called the ’shared responsibility model’). While they are all broadly similar — for example, access control is under the control of the customer, whereas physical security of the data centre is under the control of the cloud provider - each provider differs slightly in the details.
Less Control, More Security?
Having control of a computer is (sadly!) not the same as securing it and recognising that another company may be able to help is the first step toward changing attitudes and embracing cloud computing.
Having done your due diligence check you will have to trust your provider, but as/when you make the move across this trust will be rewarded with the many security benefits of cloud: patching, logging & monitoring, DDoS protection, easily duplicating systems across multiple regions, and so on.
Commodity computing
When moving a system to the cloud, there are big gains to be made by redesigning it to take full advantage of the features on offer. Both managed services and serverless functions pass much of the maintenance burden, including the security burden, to the cloud provider.
Commodity servers can be patched by replacing them with a new server that’s already patched. This is simpler and easier to test than trying to patch a running server. Think of the hire car analogy again: if a hire car develops a fault, they replace it rather than trying to fix it.
Cloud providers often have early access to vulnerability information, so they can patch a vulnerability before it’s publicly announced. They publish the details of many of their security procedures to reassure their customers. It is worthwhile reading these if you have doubts.
You would need to match the security of a cloud provider merely to keep pace with the risk. Fail to do so, and you are more likely to suffer a catastrophe than the provider.
Data security
When bringing in any cloud solution you should first concentrate your security effort on making sure that your data is secure. In our experience, data breaches in the cloud mostly come from the customer failing to protect their own data. Leaving your data insecure and hoping no-one will find it is like leaving the car unlocked and hoping no-one will steal it.
Our recent blog endorses the message that using the cloud securely & protecting your data should always be your primary concern - not the underlying security of the public cloud.
The NCSC will be joining in our upcoming webinar, ’Is the cloud really secure?’. You can sign up here!
More on this topic
Recommended Products
Our Events
Digital Fundraising Summit 2024
For the sixth year in a row, we're bringing back an action-packed event filled with Digital Fundraising insights from the charity and tech sectors. Join us on 7th October 2024 for a free, one-day online event featuring informative webinars and interactive workshops.
© 2022 Charity Digital Trust. All rights reserved
We use cookies so we can provide you with the best online experience. By continuing to browse this site you are agreeing to our use of cookies. Click on the banner to find out more.
