What to think about when moving to the cloud

Industry leaders offer insights on cloud security, compliance concerns, dealing with legacy systems, and more

Well, it's 2016, and a few years ago Garnter reported that "By 2016, poor return on equity will drive more than 60 percent of banks worldwide to process the majority of their transactions in the cloud."

Enterprises across all sectors are either in the cloud, transitioning to the cloud, or thinking about making the idea of cloud a reality.

For those who are preparing to make the move, there are a variety of concerns to consider and plan for in order to make for a smooth transition. In addition to deciding on the right cloud provider and whether to go with a private or a public cloud, CISOs also need to think about implementing solutions for controls on access, encryption, legal and compliance issues.

Russell Stern, CEO of Solarflare, said that many financial institutions are building private clouds because they buy so many computers that going to Amazon or Microsoft doesn’t save them any money.

Of greater concern than cost, though, is putting client data out into a public cloud. "The security of that has not been solved. A lot of companies talk about hybrid cloud, and they can put the less sensitive data in the public cloud infrastructure," Stern said.

Whether they choose public or private clouds, the decision to move to a cloud must be centered around security. "We are being attacked so hard from nation states that the public cloud is not sufficient in security for the kind of protection these institutions need. With the public cloud, they are not exactly sure where it is," Stern said.

Many agree that the public cloud environment has too many unknowns, especially for those enterprises that have to worry about compliance issues. For financial institutions, "The biggest concern is having a third party, which doesn’t have to be an outsider, capture your transactions in a place that is separate from the environment running the application so that you can forensically look backwards," Stern said.

Another question that should be considered before making the idea of cloud a reality is whether the cloud is a better alternative to the current IT system infrastructure. If the answer is yes, the question to follow should be how organizations can integrate their current systems with the cloud.

For most legacy systems, cloud is a worse alternative, Stern said. "For modern applications, moving into cloud is easier. But there are companies that have five to 10,000 legacy applications that were written 20+ years ago."

In either a private or a public cloud, they need applications to behave a certain way. Unfortunately, it's not always possible to move legacy. A workaround that will require change over a long period, said Stern, is if they put what they can in their private or public cloud until they are able to examine which ones are worth rewriting.

Before making the move to the cloud, Alex Hamerstone, GRC practice lead at TrustedSec, said, "Settle on a definition of what the cloud is. It’s really just someone else’s computer. A computer that’s not yours. You should know why you are you moving to the cloud. What are the advantages? Is it cost or that it is easier to maintain?"

While cost is often cited as a reason for making the move to the cloud, for larger enterprises the cost of protecting all of their users can actually increase.

Gunter Ollmann, CSO at Vectra Networks, said, "Instead of buying hardware and appliances with a three-to-five-year depreciation lifecycle, they are buying a service. They are now paying, typically, based around number of servers or users being protected. Their security spend can change drastically in Capex and Opex."

[ MORE ON CSO: 9 data security tips for cloud migration ]

For example, if they want to firewall their organization today, they could buy a $15,000 firewall and deploy it. "They don’t care about how many users they have in their environment. When you shift to cloud, firewall spend will be based on the number of users using the cloud. The number of users protected will change the cost considerably," Ollmann said.

Contracts are extremely important, and they should understand the service-level agreement and be aware of any financial considerations for whether the provider fails to meet the SLA. "Someone once told me, it doesn’t matter who’s liable it matters whois collectable," Hamerstone said.

Where is the data located?

Enterprises also should be asking exactly where--physically--their data is going to be located. "That can affect your regulatory requirements. It's definitely a red flag if the providers don’t know. They should have assurance that it's in a certain facility or area," said Hamerstone.

More providers are able to give those assurances as data centers are being erected across the globe in different areas to provide cloud services because laws and regulations are complex. "EU countries don’t want their data leaving the EU, so it is easier to set up a data center in the EU," said Hamerstone.

An established provider, said Hamerstone, has already addressed the security questions that worried security practitioners a few years ago. "They will be able to tell you what types of security controls they have in place. Ask them if you are being hosted on your own instance so that you're not hosted in the same cloud as three other companies. That way, you can’t access someone else's data and they can’t access yours."

In terms of security controls, they should treat the cloud as they do the server down the hall, Hamerstone said, "If you have to encrypt in the server down the hall, it has to be encrypted in the cloud."

One glitch to look out for, though, is licensing agreements. "Software companies will often make more money off of fines for having stuff in the wrong place. If you are moving the application, make sure you are moving the license as well," Hamerstone said.

Organizations that are making the transition will also need the same classes of security technology that they have employed inside their own infrastructure, whether it's IDS or data leakage, they now require virtual versions of those to be deployed in there.

"They should ensure they still have the same technology and visibility of their traffic. Some will find they need to look at alternative vendors for their cloud security. Many traditional vendors do have some virtual appliances, but in general many of the newer security companies have focused on cloud and have much more mature security cloud based products," Ollmann said.

Many enterprises still have reservations about moving to the cloud because they fear a loss of control in the virtual world. In reality, though, the cloud does exist in some physical space. This notion of no longer worrying about physical security is, according to Ollmann, a blind spot happening in cloud.

"They are still on a physical infrastructure and the physical infrastructure needs to be secured. It's difficult to monitor the physical security of a cloud provider to detect vulnerabilities that are within the physical infrastructure," said Ollmann.

Enterprises should ask about security assurances in the both the virtual and physical places where their data is stored to avoid the risks of these not so well known blind spots.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOEUGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place