Speakers
Synopsis
Do you get better security by moving to cloud services?
When organisations decide on a cloud strategy, security is not usually a key driver - but it's a very important consideration.
So what's the resulting security impact for most organisations? Does security usually improve or get worse?
And what matters to get better security outcomes?
WHERE ARE YOU STARTING FROM?
Large organisations who are planning cloud services adoption are typically starting with a complex data centre environment, full of security challenges and issues.
Essential Eight compliance in Fed Gov shows how hard this is - cyber hygiene such as patching is seriously hard. How long does it take for a new system to become legacy, unsupported and unpatchable?
Ransomware groups have shown how many organisations can be opened up and harmed by exploiting the organisation's identity services such as AD, and through flat network environments.
WHERE ARE YOU HEADING TO?
IaaS, PaaS for technology services and SaaS offerings for business applications. Even on-prem cloud options!
Shared responsibility models definitely can improve your security. Compared to commercial or government organisations, major tech firms have drastically better budgets and capabilities for tech automation and security. So their cloud infrastructure is built to a seriously high standard that is almost impossible to match.
But amazingly-run cloud services can still deliver poor security outcomes for a customer:
- Easy connectivity to your new prod environment - so simple misconfigurations can have a big impact.
- Adding cloud services to your existing environment just increases complexity - which is the enemy of security. Adding multiple clouds?!
- Are cloud services being used to just deliver the same old services in a new colo? Will the same operational model lead to better outcomes?!
- Your on-prem identity and access services were extremely complex and resulted in massive risk. Is cloud simplifying and reducing risk, or increasing it?
SO WHAT REALLY MATTERS?
Security tools and teams are clearly important for good security, but poorly run IT will still have poor security.
Adopting a cloud operational model is extremely important to get sustained security benefits. DevOps practices to automate workload creation and replacement. Simplified software-defined IT infrastructure results in scalable patching, improved network isolation, reduced risk.
Cloud operating model requires small, technically capable cloud ops teams in place of the traditional infrastructure silos. Automate as cattle not pets - SREs shouldn't ever need to logon to workloads!
Also need to apply this model for on-premises environments, because you will still have those for a long time.
SUMMARY
Do you get better security by moving to cloud services? You can, but if you do IT just the same as before the security outcomes will be worse.
Build capable cloud ops teams. Don't do legacy manual administration - find people who love to automate everything, enable with great tools, set appropriate security guardrails, and build a new cloud ops culture.
