Things to Consider Before Adopting Cloud Technology

Due diligence

To return to the analogy, do you trust the hire car company? To get the hire car, you need to pass over a lot of personal information, including driving license details. You then rely on the company to control access to its copy of the car key, and trust that the car is mechanically sound and hasn’t been stolen.

So, it is very sensible to research a cloud provider’s background and security. If, after this ’due diligence’, you can’t trust them to handle your data, don’t use them. Depending on the nature of your data and your risk appetite, this may be a reasonable decision, provided it is evidence-based and rational.

This research will also show how this cloud provider divides security responsibilities between the customer and themselves (called the ’shared responsibility model’). While they are all broadly similar — for example, access control is under the control of the customer, whereas physical security of the data centre is under the control of the cloud provider - each provider differs slightly in the details.

Less Control, More Security?

Having control of a computer is (sadly!) not the same as securing it and recognising that another company may be able to help is the first step toward changing attitudes and embracing cloud computing.

Having done your due diligence check you will have to trust your provider, but as/when you make the move across this trust will be rewarded with the many security benefits of cloud: patching, logging & monitoring, DDoS protection, easily duplicating systems across multiple regions, and so on.

Commodity computing

When moving a system to the cloud, there are big gains to be made by redesigning it to take full advantage of the features on offer. Both managed services and serverless functions pass much of the maintenance burden, including the security burden, to the cloud provider.

Commodity servers can be patched by replacing them with a new server that’s already patched. This is simpler and easier to test than trying to patch a running server. Think of the hire car analogy again: if a hire car develops a fault, they replace it rather than trying to fix it.

Cloud providers often have early access to vulnerability information, so they can patch a vulnerability before it’s publicly announced. They publish the details of many of their security procedures to reassure their customers. It is worthwhile reading these if you have doubts.

You would need to match the security of a cloud provider merely to keep pace with the risk. Fail to do so, and you are more likely to suffer a catastrophe than the provider.

Data security

When bringing in any cloud solution you should first concentrate your security effort on making sure that your data is secure. In our experience, data breaches in the cloud mostly come from the customer failing to protect their own data. Leaving your data insecure and hoping no-one will find it is like leaving the car unlocked and hoping no-one will steal it.

Our recent blog endorses the message that using the cloud securely & protecting your data should always be your primary concern - not the underlying security of the public cloud.

The NCSC will be joining in our upcoming webinar, ’Is the cloud really secure?’. You can sign up here!