How Cloud Computing Enables (And Threatens) Organizations’ Digital Transformation
The pace of technological change makes it hard for me to remember what enterprises were like even a few years ago. Back then, your company probably consisted of employees with smartphones, internal IT systems for a common function such as HR, Marketing, and Sales Management, and on-premises data centers containing customer-facing systems, IP, and other assets. The perimeter was well defined, and what kept you awake at night was security concerns surrounding an employee visiting a malicious website or opening a malicious email.
Just when the smartphone revolution was brewing, another radical shift in IT was starting to take hold – cloud computing. In 2019 the cloud, just like the smartphone, is both a revenue and company growth accelerator. But understanding and fully leveraging all aspects of the cloud can be confusing. I would like to start with some basics about the different flavors of cloud deployment models, and then explore some security challenges you need to consider as you embark on the journey to the cloud.
What Is the Cloud?
Microsoft defines the cloud as a network of remote servers that essentially operate as a single virtual ecosystem. This collaboration, according to the NIST’s cloud computing model, enables organizations to automatically optimize their computing resources use based on their business needs. Primarily, they can take advantage of the cloud’s rapid elasticity to scale outward as they continue to grow and deliver new services.
In short, the cloud serves as a foundational enabler of organizations’ digital transformation. Not only does it offer the scale and speed that companies such as yours can leverage to take on new digital activities, it also offers simplicity and easier management of digital resources.
What’s Involved with Migrating to the Cloud?
A good first step in cloud migration is to figure out what exactly you want to move to the cloud. Most organizations don’t migrate completely. They usually start out by using a cloud-based service like Google Drive to store their data. They might also go with a cloud-based application like Salesforce or Adobe’s Creative Suite. Or they might transition their workloads, which are the individual components that make up a discrete application.
Organizations usually make these types of migrations for the sake of improving collaboration. That being said, these moves are good first steps and usually limited in scale, which means that most organizations end up with a combination of one – or multiple – cloud deployments as well as IT assets that remain hosted on-premises.
As you consider the next steps in migrating to the cloud to realize compelling benefits including cost savings and ease of use, you need to enlist the help of a cloud service provider (CSP). As you look for a company that fits your needs, consider how much of your cloud environment you’d like to directly manage. This decision will, in turn, shape what type of service model best fits your business.
The NIST cloud computing model defines three types of service models:
- Infrastructure as a Service (IaaS): In this service model, companies deliver cloud computing infrastructure, including servers, a network, and storage, through virtualized technology. You are still responsible for your data, operating systems, middleware, and applications. This model offers significant flexibility in that you can purchase additional infrastructure resources as your needs in the cloud change. Examples of IaaS platforms include Microsoft Azure and Amazon Web Services.
- Platform as a Service (PaaS): More comprehensive than IaaS, PaaS expands a CSP’s role to include the delivery of a platform for software creation. As such, the CSP is responsible for maintaining runtime, middleware, and operating systems. You just have to take care of your applications and data, which is ideal if you’re looking to concentrate on developing and deploying apps easily and cost-effectively. Examples of PaaS platforms include Windows Azure and the Google App Engine.
- Software as a Service (SaaS): SaaS is the most comprehensive service model and the most common option for businesses in the cloud market, according to BMC. The SaaS provider essentially manages everything from a central location and makes it accessible over the web. This frees up technical staff to spend their time on matters other than installing and upgrading software associated with their cloud-based assets. Examples of SaaS platforms include Google Drive, Dropbox, and Salesforce.
The differences between the three, and in contrast to complete on-premises deployment, are illustrated below. Moving from IaaS to SaaS, more of the infrastructure is managed by the CSP.
Choosing a service model isn’t the only decision you need to make when migrating to the cloud. You also need to choose a suitable cloud deployment model based on what elements of the cloud infrastructure you want to own, what storage size you want available, and what level of access to your assets you’d like to have. The most common cloud deployment models are as follows:
- Private cloud: A service provider provisions the cloud infrastructure for use by a single organization with multiple business units. The private cloud may exist on- or off-premises. Additionally, your company, a third-party entity, or a combination of the two may have responsibility for maintaining it.
- Public cloud: A CSP provisions the cloud infrastructure for use by the general public. This type of deployment model exists only on the premises of the CSP. In general, a business (e.g. Google or Microsoft), academic institution, or government entity owns and manages the public cloud.
- Community cloud: This socially oriented model is where consumers from the same community such as banking or financial services share a cloud because they have the same concerns about security, compliance, jurisdiction, etc. They can leverage a community cloud to facilitate relationships among employers, customers, and partners.
- Hybrid cloud: This mixed cloud infrastructure commonly includes two or more cloud environments including the private cloud, public cloud, or community cloud. In a hybrid cloud, the cloud deployments remain distinct entities, but they support data and app portability with the help of standardized technology.
Security Risks of Cloud Migration
Now that we’ve discussed the types of service and deployment models, you can start formulating a migration plan. Be sure that your strategy takes into account the various security risks associated with moving to the cloud. Cloud security, of course, depends on the type of cloud – IaaS, PaaS and SaaS – and all have unique challenges.
The Software Engineering Institute (SEI) at Carnegie Mellon University explains some of these challenges:
- Reduces visibility and control: You can lose a certain amount of visibility and control over your assets and operations when you move to the cloud. This loss of management power directly corresponds to the type of service model you choose, as discussed above. As a result, you’d be wise to research CSPs carefully to make sure that your cloud computing resources are in good hands.
- Simplifies unauthorized use: Most service agreements enable departments throughout your organization to provision new services without the consent of IT. This adds to the problem known as “Shadow IT,” the expansion of unknown IT assets. Such growth could expose your company to malware infections and/or data exfiltration, as you can’t protect resources if you don’t know about them in the first place.
- Incomplete data deletion: The nature of the cloud means that a CSP usually stores your company’s data across various storage devices. These types of storage policies make it difficult if not impossible for you to verify that your data is completely deleted should you ever need to get rid of some of it. Not only that, but data deletion policies usually vary from provider to provider.
Let’s explore the security risk for IaaS in a bit more detail. With IaaS the CSP provides networking, computer, and storage, and you are responsible for managing the deployed application and data. While this may simplify your role in regards to managing IT resources, the security risks are the same given that a number of attack patterns that led to data breaches with on-premise data centers are still highly likely.
Let’s use the following attack chain as an example:
- A digital attacker exploits a vulnerable Drupal server (deployed in AWS) and gains shell access.
- The bad actor performs a scan of the internal network accessible from the Drupal server and discovers the existence of a phpmyadmin instance on the MySQL database.
- The attacker acquires access to phpMyAdmin by leveraging default or weak passwords and obtains full access to the database content.
- The malefactor extracts the full database content via phpMyAdmin and copies it to Drupal, thereby preparing it for exfiltration.
- The attacker uploads the full database to an external server and monetizes your data by selling it to a competitor or launching secondary attacks against your customers.
This attack chain illustrates how attackers can gain access to your computer and storage in the cloud by exploiting application vulnerabilities and attacking your network and workloads in the cloud.
Planning for a Secure Cloud Migration
I think it’s important that organizations understand the risks involved with moving to the cloud. In addition to formulating a cloud migration plan, you need to craft a cloud security strategy that can tackle these and other risks once you’ve completed your transition. This policy should not shy away from including security measures specific to the cloud, as not all on-premises security tools will work in a cloud environment.
Moving forward, you have another set of choices when it comes to devising a cloud security strategy. We’ll tackle them together in my next blog post.