Security In The Public Cloud: Finding What Is Right For You

What many businesses still don’t realise is that the public cloud is a shared responsibility, from both the cloud provider and customer.

Security concerns in the cloud pop up every now and then, especially when there has been a public breach of some sort. What many businesses still don’t realise is that the public cloud is a shared responsibility, from both the cloud provider and customer. Unfortunately, 99% of these breaches are down to the customer, not the cloud provider. Some of these cases are due simply to the customer not having the competences in building a secure service in the public cloud.

Cloud Comes In Many Shapes And Sizes

  • Public cloud platforms like AWS, Azure and GCP
  • Medium cloud players
  • Local hosting provider offerings
  • SaaS providers of variable capabilities and services: From Office 365 to Dropbox

However, if the alternative is to use your own datacenter, the data center of a local provider, or a SaaS service, it’s worth building a pros and cons table and making a selection after that.

Own data centre
Local hosting provider
Public cloud
 – Most responsibility
 – Competence varies
 – Variable processes
 – Large costs

However

 – Most choice in tech
 – A lot of responsibility
 – Competence varies
 – Variable processes
 – Large costs


 – Some choice in tech
 – Least responsibility
 – Proven competence & investment
 – Fully automated with APIsConsumption-based


 – Least amount of choice in tech

Lack of competence is typical when a business ventures into the public cloud on their own, without a partner with expertise. Luckily:

  • Nordcloud has the most relevant certifications on all of the major cloud platforms
  • Nordcloud is ISO/IEC 27001 certified to ensure our own services security is appropriately addressed
  • Typically Nordcloud builds and operates customer environments to meet customer policies, guidelines and requirements

Security responsibilities shift towards the platform provider the more high value services like IaaS, PaaS, SaaS are used. All major public cloud platform providers have proven security practices with many certifications such as:

  • ISO/IEC 27001:2013 27013, 27017:2015
  • PCI-DSS
  • SOC 1-3
  • FIPS 140-2
  • HIPAA
  • NIST

Gain The Full Benefits Of The Public Cloud

The more cloud capacity shifts towards the SaaS end of the offering, the less the business needs to build the controls on their own. However, existing applications are not built for the public cloud and therefore if the application is migrated to the public cloud as it is, similar controls need to be migrated too. Here’s another opportunity to build pros & cons table: Applications considered for public cloud migration ‘as is’, vs app modernisation.

‘As is’ migration
Modernise 
 – Less benefit of cloud platform IT-driven

BUT

– You start the cloud journey early
– Larger portfolio migration
 – Time to decommission old infra is fast
 – Slower decommissioning
 – Individual modernisations

BUT

– You can start you cloud-native journey
 – Use DevOps with improved productivity
 – You have the most benefit from using cloud platforms

Another suggestion would be to draw out a priority table of your applications so that you gain the full benefits of the public cloud.

In any case, the baseline security, architecture, cloud platform services need to be created to fulfil requirements in the company security policies, guidelines and instructions. For example:

  • Appropriate access controls to data
  • Appropriate encryption controls based on policy/guideline statements matching the classification
  • Appropriate baseline security services, such as application level firewalls and intrusion detection and prevention services
  • Security Information and Event Management solution (SIEM)

The areas listed above should be placed into a roadmap or project with strong ownership to ensure that the platform evolves to meet the demands of applications at various stages in their cloud journey. Once the organisation and governance are in place, the application and cloud platform roadmaps can be aligned for smooth sailing into the cloud where appropriate, and the cloud-native security controls and services are available. Nordcloud’s cloud experts would be able to help you and your business out here.

Find out how Nordcloud helped Unidays become more confident in the security and scalability of their platform.

Blog

Are you too late to go cloud native?

You’re never too late to choose a cloud native approach, no matter what stage of cloud maturity or digital transformation...

Blog

Why do so many CCoEs fail?

When you reach a certain stage of cloud adoption, you set up Cloud Centres of Excellence (CCoE). There are noble...

Blog

Part 1 – GCP Networking Philosophy

When working with cloud architecture, it's important to see the world from different perspectives.

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








    Predicting IT incidents in Financial Services

    CATEGORIES

    Blog

    As we’ve mentioned in previous blogs, one of the UK’s biggest banks, TSB, learnt the hard way earlier this year when it came to protecting their highly valuable systems from IT failures. The BBC coined the term ‘technology meltdown’ after 2 million customers of the bank lost access to their online banking services. Since then, a second ‘meltdown’ has occurred, and TSB’s CEO has stepped down.

     

    Banks have been slow to move legacy systems to cloud

    Banks and FSIs around the world have been slow on the uptake to modernise infrastructure and move legacy systems to the cloud. The complexities that surround moving large amounts of secure data, constantly changing market dynamics, and a need to shift company culture (such as moving to a more agile way of working) is tantamount to redesigning an entire industry. The problem is that this failure to move forward and be relevant has proved costly, and regulatory services have made the FSIs pay out large and easily preventable fines.

    Anuj Saxena, Head of FSI at Nordcloud, wrote in his blog that financial institutions often plan for highly available service operations and don’t consider potential failures. But one of the ways these businesses can improve their operational resilience is implementing automated tools and processes in order to recover from these potential incidents. Engaging with a Managed Cloud Services provider is the start of the solution.

     

    Planning for failure by implementing a well-oiled machine

    At the risk of sounding negative, planning for failure is the key to keeping systems up and running. Employing a DevOps function like the team at Nordcloud who have the experience in automating end to end deployments, operations & recovering cloud infrastructure, allows for flexibility and innovation, and creating runbooks and playbooks allows the teams to compare and match certain standards.

    FSIs need to become operationally resilient so they are not held back when an incident happens. Having a ‘well-oiled machine’ that will be able to respond to incidents quickly and agily will improve this resilience.

     

    But what’s the point of having this ‘holy-grail’ of automation unless you have someone who knows how to manage it?

     

    A dedicated Managed Services Provider

    Cloud experts within Nordcloud have experience in knowing what to monitor & what thresholds to configure out of the box, ensuring that problems are identified earlier and solved quicker.

    Our team uses an advanced adaptive (outlier detection), automated full-stack monitoring and instrumentation platform to enable a 360-degree view of a business’s infrastructure, ensuring that potential issues are identified and resolved before they become an issue. This automated response means reactions are faster, and human error is eliminated. In the same sense, developing a comprehensive runbook promotes standardised operating procedures which can be used repeatedly, allowing you to move to market faster.

    Businesses should also organise regular ‘Game Days’ where failure is simulated, and runbooks and playbooks are tested to ensure that in the event of failure, response and resolution is well rehearsed and therefore fast. Nordcloud’s team of experts can manage this and other day to day operations, helping our customers meet the regulatory compliance they require.

    IT time is valuable and generally scarce and your department should be focussed on projects that improve your company’s bottom line. FSIs who engage with Managed Cloud Service providers will be able to save sizeable amounts of money on potentially avoidable fines, and in the meantime make sure their customers’ online experience is not affected.  

    Realise all the benefits the public cloud has to offer FSI

     

    Cloud computing is on the rise in the financial services – are you ready?

    Download our free white paper Compliance in the cloud: How to embrace the cloud with confidence, where we outline some of the many benefits that the cloud can offer, such as:

    • Lowered costs
    • Scalability and agility
    • Better customer insights
    • Tighter security

    Download white paper

    Blog

    Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

    When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

    Blog

    Building better SaaS products with UX Writing (Part 3)

    UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

    Blog

    Building better SaaS products with UX Writing (Part 2)

    The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

    Get in Touch

    Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








      Security in the Public Cloud: Finding what is right for you

      CATEGORIES

      Blog

      Security concerns in the cloud pop up every now and then, especially when there has been a public breach of some sort. What many businesses still don’t realise is that the public cloud is a shared responsibility, from both the cloud provider and customer. Unfortunately, 99% of these breaches are down to the customer, not the cloud provider. Some of these cases are due simply to the customer not having the competences in building a secure service in the public cloud.

      Cloud comes in many shapes and sizes

      • Public cloud platforms like AWS, Azure and GCP
      • Medium cloud players
      • Local hosting provider offerings
      • SaaS providers of variable capabilities and services: From Office 365 to Dropbox

      However, if the alternative is to use your own datacenter, the data center of a local provider, or a SaaS service, it’s worth building a pros and cons table and making a selection after that.

      Own data centre
      Local hosting provider
      Public cloud
      • Most responsibility
      • Competence varies
      • Variable processes
      • Large costs

      However – Most choice in tech

      • A lot of responsibility
      • Competence varies
      • Variable processes
      • Large costs

      – Some choice in tech

      • Least responsibility
      • Proven competence & investment
      • Fully automated with APIs
      • Consumption-based

      -Least amount of choice in tech

      Lack of competence is typical when a business ventures into the public cloud on their own, without a partner with expertise. Luckily:

      • Nordcloud has the most relevant certifications on all of the major cloud platforms
      • Nordcloud is ISO/IEC 27001 certified to ensure our own services security is appropriately addressed
      • Typically Nordcloud builds and operates customer environments to meet customer policies, guidelines and requirements

      Security responsibilities shift towards the platform provider the more high value services like IaaS, PaaS, SaaS are used. All major public cloud platform providers have proven security practices with many certifications such as:

      • ISO/IEC 27001:2013 27013, 27017:2015
      • PCI-DSS
      • SOC 1-3
      • FIPS 140-2
      • HIPAA
      • NIST

      Gain the full benefits of the public cloud

      The more cloud capacity shifts towards the SaaS end of the offering, the less the business needs to build the controls on their own. However, existing applications are not built for the public cloud and therefore if the application is migrated to the public cloud as it is, similar controls need to be migrated too. Here’s another opportunity to build pros & cons table: Applications considered for public cloud migration ‘as is’, vs app modernisation.

      ‘As is’ migration
      Modernise 
      • Less benefit of cloud platform
      • IT-driven

      BUT

      • You start the cloud journey early
      • Larger portfolio migration
      • Time to decommission old infra is fast
      • Slower decommissioning
      • Individual modernisations

      BUT

      • You can start you cloud-native journey
      • Use DevOps with improved productivity
      • You have the most benefit from using cloud platforms

      Another suggestion would be to draw out a priority table of your applications so that you gain the full benefits of the public cloud.

      In any case, the baseline security, architecture, cloud platform services need to be created to fulfil requirements in the company security policies, guidelines and instructions. For example:

      • Appropriate access controls to data
      • Appropriate encryption controls based on policy/guideline statements matching the classification
      • Appropriate baseline security services, such as application level firewalls and intrusion detection and prevention services
      • Security Information and Event Management solution (SIEM)

      The areas listed above should be placed into a roadmap or project with strong ownership to ensure that the platform evolves to meet the demands of applications at various stages in their cloud journey. Once the organisation and governance are in place, the application and cloud platform roadmaps can be aligned for smooth sailing into the cloud where appropriate, and the cloud-native security controls and services are available. Nordcloud’s cloud experts would be able to help you and your business out here.

      Find out how Nordcloud helped Unidays become more confident in the security and scalability of their platform.

      Blog

      Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

      When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

      Blog

      Building better SaaS products with UX Writing (Part 3)

      UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

      Blog

      Building better SaaS products with UX Writing (Part 2)

      The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

      Get in Touch

      Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








        Container security: How to differ from the traditional

        CATEGORIES

        Blog

        Containerisation in the industry is rapidly evolving

         

        No, not shipping containers, but cloud containers. Fortune 500 organisations all use containers because they provide portability, simple scalability, and isolation. Linux distros have long been used, but this has since changed. Microsoft has now started to support Windows-based containers with Windows Server 2016 running on Windows Core or Nano. Even with a lot of organisations using containers, we are still seeing a lot of them reverting back to how security was for traditional VMs.

         

        If you already know anything about containers, then you probably know about Kubernetes, Docker, Mesos, CoreOS, but security measures still need to be carried out and therefore this is always a good topic for discussion.

         

         

        Hardened container image security

        Hardened container image security comes to mind first, because of how the image is deployed and if there are any vulnerabilities in the base image. A best practice would be to create a custom container image so that your organization knows exactly what is being deployed.

        Developers or software vendors should know every library installed and the vulnerabilities of those libraries. There is a lot of them, but try to focus on the host OScontainer dependencies, and most of all the application code. Application code is one of the biggest vulnerabilities, but practising DevOps can help prevent this. Reviewing your code for security vulnerabilities before committing it into production can cost time, but save you a lot of money if best practices are followed. It is also a good idea to keep an RSS feed on security blogs like Google Project Zero Team and  Fuzz Testing to find vulnerabilities.

        Infrastructure security

        Infrastructure security is a broad subject because it means identity management, logging, networking, and encryption.

        Controlling access to resources should be at the top of everyone’s list. Following the best practice of providing the least privileges is key to a traditional approach. Role-Based Access Control (RBAC) is one of the most common methods used. RBAC is used to restrict system access to only authorized users. The traditional method was to provide access to a wide range of security policies but now fine-tuned roles can be used.

        Logging onto the infrastructure layers is a must needed best practice. Audit logging using an API cloud vendor services such as AWS CloudWatchAWS CloudTrailsAzure OMS, and Google Stackdriver will allow you to measure trends and find abnormal behaviour.

        Networking is commonly overlooked because it is sometimes referred to as the magic unicorn. Understanding how traffic is flowing in and out of the containers is where the need for security truly starts. Networking theories make this complicated, but understanding the underlying tools like firewalls, proxy, and other cloud-enabled services like Security Groups can redirect or define the traffic to the correct endpoints. With Kubernetes, private clusters can be used to send traffic securely.

        How does the container store secrets? This is a question that your organization should ask when encrypting data at rest or throughout the OSI model.

         

        Runtime security

        Runtime security is often overlooked, but making sure that a team can detect and respond to security threats whilst running inside a container shouldn’t be overlooked. The should monitor abnormal behaviours like network calls, API calls, and even login attempts. If a threat is detected, what are the mitigation steps for that pod? Isolate the container on a different network, restarting it, or stopping it until the threat can be identified are all ways to mitigate if a threat is detected. Another overlooked runtime security is OS logging. Keeping the logs secured inside an encrypted read-only directory will limit tampering, but of course, someone will still have to sift through the logs looking for any abnormal behaviour.

        Whenever security is discussed an image like the one shown above is commonly depicted. When it comes to security, it is ultimately the organization’s responsibility to keep the Application, Data, Identity, and Access Control secured. Cloud Providers do not prevent malicious attackers from attacking the application or the data. If untrusted libraries or access is misconfigured inside or around the containers then everything falls back on the organization.

         Check also my blog post Containers on AWS: a quick guide

        Blog

        Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

        When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

        Blog

        Building better SaaS products with UX Writing (Part 3)

        UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

        Blog

        Building better SaaS products with UX Writing (Part 2)

        The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

        Get in Touch

        Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.