Cloud and cybersecurity: how to proceed?

Published on: 28 October 2019

Belgian companies and government institutions are concerned about their cybersecurity and the transition to the cloud, according to Beltug’s annual survey. We asked our cybersecurity expert to answer the most commonly asked questions on the security of cloud-based systems.

Beltug, the association of ICT managers, recently surveyed more than 1,750 members about the IT issues they want to tackle over the next twelve months. Top priorities are cyber security and companies’ migration to cloud-based applications.

Even though cloud applications and infrastructure are on the rise in our country, Beltug notes that many companies have reservations about a ‘cloud first’ strategy. The cost of some internal applications are often lower than existing ones and the ICT infrastructure is quickly becoming increasingly complicated.

Thus, our main consultant at the iStorm Projects Cyber ​​Security Competence Center, answers all your questions on making the transition to cloud-based applications.

1) Are public clouds secure?

All public cloud providers adhere to the recommended security standards. Data loss or service failure caused by a cyber attack never comes from the cloud infrastructure itself.

The attacks are made on the virtual machines deployed by a client on the public cloud, either through the exploitation of vulnerabilities, or through a bad configuration (generally due to a disregard for the recommendations or by a lack of knowledge of those who configure them).

The question is not whether a public cloud is secure, but whether the cloud service deployment is properly secured.

2) Are private clouds secure?

Unlike public clouds, people who build private clouds do not have to follow the recommended security standards. Except for certain sectors (banks, ...).

Generally when a company is developing its private cloud, time and money are the most important aspects and therefore security often comes second.

Securing a private cloud will depend on whether a company wants it to be secure or not. This will also depend on the skills of the people who will implement the security of this private cloud.

3) Where is customer data stored?

For private clouds, it's very straightforward: the data is stored in the customer's Data Centre. The exfiltration of data usually comes from a cyber attack or data theft (intentional or not) of an employee.

For the public cloud, it is the end user who will decide in which region of the world the data will be saved.

Of course, it's important to know where a customer's data is located, but the most important thing is to make sure that the data is encrypted when it's at a place X and when it travels from point X to point Y.

The risks

I think it's very important for customers to know why they want to migrate their services to a cloud. You shouldn’t do it because it's fashionable. Perfect IT security does not exist. You must be prepared for the fact that there is a certain amount of risk involved when using public cloud applications and one must also be aware of what those risks are.

When developing a cloud migration strategy, organizations must make decisions based on what those applications will and will not do in order to mitigate the risks, while also taking their budget into consideration.

Migrate to the cloud?

To find out if a customer needs to migrate a service to the cloud, he or she must first weigh up the benefits and the risks. One will choose to migrate to the cloud only if the risk is low and the benefit high enough.

Here are the things to consider when making a risk assessment:
  • Agility: the ability of the company to meet unforeseen future needs
  • Availability: service interruptions and data loss
  • Security: privacy and data control
  • Supplier: possible changes to the cloud provider business model
  • Compliance: regulatory requirements and other legal requirements

At iStorm we have the expertise to support customers in securing and complying with their private or public infrastructure.

To achieve this goal we offer the following solutions:
  • Check if your infrastructure is vulnerable
  • Reduce the possible attack perimeters
  • Identify who and what kind of traffic is allowed to transit on your infrastructure
  • Prevent the exfiltration of sensitive data
  • Implement monitoring solutions to detect, prevent and respond to cyberattacks