Experts from the NCSC provide a new way of approaching the decision to move towards cloud-based technology
One of the questions we’ve most frequently been asked in recent months is whether or not cloud-based technology is secure. As more and more charities move to cloud-based solutions, this question becomes more pressing. But is it the right question?
If you are considering moving your charity over to using cloud-based IT solutions, the big security concern is not whether the cloud itself is secure, but rather ensuring that it will be used securely within your charity.
It can be helpful to think about the ongoing “in-house IT versus cloud IT” debate in terms of ‘buying cars versus hiring cars’. Here’s why:
No analogy is perfect, but the key to thinking about the cloud is that it is rentable computing power. Being rentable, the cloud comes with restrictions, but it allows easy scaling to suit demand, and much of the computer support is outsourced to the cloud provider.
As with the need to lock a hire car and look after the keys, we need to secure our code and data in the cloud. The commodity computing aspect can be turned into an advantage with the right security model.
To return to the analogy, do you trust the hire car company? To get the hire car, you need to pass over a lot of personal information, including driving license details. You then rely on the company to control access to its copy of the car key, and trust that the car is mechanically sound and hasn’t been stolen.
So, it is very sensible to research a cloud provider’s background and security. If, after this ’due diligence’, you can’t trust them to handle your data, don’t use them. Depending on the nature of your data and your risk appetite, this may be a reasonable decision, provided it is evidence-based and rational.
This research will also show how this cloud provider divides security responsibilities between the customer and themselves (called the ’shared responsibility model’). While they are all broadly similar — for example, access control is under the control of the customer, whereas physical security of the data centre is under the control of the cloud provider - each provider differs slightly in the details.
Having control of a computer is (sadly!) not the same as securing it and recognising that another company may be able to help is the first step toward changing attitudes and embracing cloud computing.
Having done your due diligence check you will have to trust your provider, but as/when you make the move across this trust will be rewarded with the many security benefits of cloud: patching, logging & monitoring, DDoS protection, easily duplicating systems across multiple regions, and so on.
When moving a system to the cloud, there are big gains to be made by redesigning it to take full advantage of the features on offer. Both managed services and serverless functions pass much of the maintenance burden, including the security burden, to the cloud provider.
Commodity servers can be patched by replacing them with a new server that’s already patched. This is simpler and easier to test than trying to patch a running server. Think of the hire car analogy again: if a hire car develops a fault, they replace it rather than trying to fix it.
Cloud providers often have early access to vulnerability information, so they can patch a vulnerability before it’s publicly announced. They publish the details of many of their security procedures to reassure their customers. It is worthwhile reading these if you have doubts.
You would need to match the security of a cloud provider merely to keep pace with the risk. Fail to do so, and you are more likely to suffer a catastrophe than the provider.
When bringing in any cloud solution you should first concentrate your security effort on making sure that your data is secure. In our experience, data breaches in the cloud mostly come from the customer failing to protect their own data. Leaving your data insecure and hoping no-one will find it is like leaving the car unlocked and hoping no-one will steal it.
Our recent blog endorses the message that using the cloud securely & protecting your data should always be your primary concern - not the underlying security of the public cloud.