Security in the Public Cloud: Finding what is right for you

Security concerns in the cloud pop up every now and then, especially when there has been a public breach of some sort. What many businesses still don't realise is that the public cloud is a shared responsibility, from both the cloud provider and customer. Unfortunately, 99% of these breaches are down to the customer, not the cloud provider. Some of these cases are due simply to the customer not having the competences in building a secure service in the public cloud.

Cloud comes in many shapes and sizes

• Public cloud platforms like AWS, Azure and GCP
• Medium cloud players
• Local hosting provider offerings
• SaaS providers of variable capabilities and services: From Office 365 to Dropbox

However, if the alternative is to use your own datacenter, the data center of a local provider, or a SaaS service, it's worth building a pros and cons table and making a selection after that.

Own data centre	Local hosting provider	Public cloud
Most responsibility Competence varies Variable processes Large costs However - Most choice in tech	A lot of responsibility Competence varies Variable processes Large costs - Some choice in tech	Least responsibility Proven competence & investment Fully automated with APIs Consumption-based -Least amount of choice in tech

Lack of competence is typical when a business ventures into the public cloud on their own, without a partner with expertise. Luckily:

• Nordcloud has the most relevant certifications on all of the major cloud platforms
• Nordcloud is ISO/IEC 27001 certified to ensure our own services security is appropriately addressed
• Typically Nordcloud builds and operates customer environments to meet customer policies, guidelines and requirements

Security responsibilities shift towards the platform provider the more high value services like IaaS, PaaS, SaaS are used. All major public cloud platform providers have proven security practices with many certifications such as:

• ISO/IEC 27001:2013 27013, 27017:2015
• PCI-DSS
• SOC 1-3
• FIPS 140-2
• HIPAA
• NIST

Gain the full benefits of the public cloud

The more cloud capacity shifts towards the SaaS end of the offering, the less the business needs to build the controls on their own. However, existing applications are not built for the public cloud and therefore if the application is migrated to the public cloud as it is, similar controls need to be migrated too. Here's another opportunity to build pros & cons table: Applications considered for public cloud migration 'as is', vs app modernisation.

'As is' migration	Modernise
Less benefit of cloud platform IT-driven BUT You start the cloud journey early Larger portfolio migration Time to decommission old infra is fast	Slower decommissioning Individual modernisations BUT You can start you cloud-native journey Use DevOps with improved productivity You have the most benefit from using cloud platforms

Another suggestion would be to draw out a priority table of your applications so that you gain the full benefits of the public cloud. In any case, the baseline security, architecture, cloud platform services need to be created to fulfil requirements in the company security policies, guidelines and instructions. For example:

• Appropriate access controls to data
• Appropriate encryption controls based on policy/guideline statements matching the classification
• Appropriate baseline security services, such as application level firewalls and intrusion detection and prevention services
• Security Information and Event Management solution (SIEM)

The areas listed above should be placed into a roadmap or project with strong ownership to ensure that the platform evolves to meet the demands of applications at various stages in their cloud journey. Once the organisation and governance are in place, the application and cloud platform roadmaps can be aligned for smooth sailing into the cloud where appropriate, and the cloud-native security controls and services are available. Nordcloud's cloud experts would be able to help you and your business out here. Find out how Nordcloud helped Unidays become more confident in the security and scalability of their platform.