Cloud security

The Swedish Corona App, nothing for American clouds, or..?

A colleague came some time ago and said that the reporting around the Swedish Corona App questioned Amazon Web Services (AWS) as host. Not good for an AWS Partner. Based on what I read, some high-pitched screams in that direction existed. But what I found was at least one crucial misconception – storage, some discomfort about cloud, and eSam references of course.

My unscientific summary of what I read is that it is about costs, hasty decisions and a sense of urgency, possible disregard of the Swedish Public Procurement Act, privacy concerns due to storage of health data and eSam recommendations, the suitability of American cloud operators and, some implicit misconception and general discomfort about utilizing the cloud.

My intention is not to review the reporting in this blog post even though I will touch on some aspects related to the suitability of using American cloud providers below, as well. But I start with the storage confusion.

Cloud service does not equal cloud storage

Primarily I address an implicit assumption many outside our industry often make. That you always are forced to store your data in that cloud when you use a cloud service provider such as AWS, Microsoft Azure or Google. This is not true. Data can be stored in the cloud or somewhere else. All depends on the service you use or provide.

When reading the reporting I can see this misconception shines through. It is an implicit assumption we often meet in our customer dialogues as well. My guess is that this misconception comes from the frequent use of cloud based services in our daily life and the discussion about privacy.

Cloud storage optional for SaaS providers. Why not for customers?

When developing a SaaS (Software-as-a-Service) service in a cloud such as AWS, Microsoft Azure or Google Cloud you as a developer can choose where data shall be stored. In short it is a design decision. This opens up for a foresighted SaaS developer to give the customer a choice as well.

It provides an opportunity to differentiate the offerings and have different solutions for data storage as options for the customers. A do-or-die requirement in some industries where data and storage location is crucial. It can be a business blocker to lack this agility for customers in some industries.

In AWS there are several different services and solutions that can be used to provide this flexibility for both the SaaS provider and the customer.

The use of American cloud providers or not?

The other thing I want to comment on is the underlying concern about using AWS as a platform when they developed the Swedish Corona app (RIP?). When reading the reporting it seems like there are two concerns in relation to this.

  1. The fear that data shall be stored on US servers.
  2. The fact that AWS is an American company and therefore obeys to American laws.

Point 1: Mitigated by automatically enforcing Region Blocking to Sweden

It is possible for a SaaS provider utilizing AWS to explicitly limit both the storage and processing to specific regions by using region blocking rules that are applied automatically. In AWS it is possible to limit access to i.e. region Stockholm. And then it is guaranteed that no data or processing of data is performed outside Sweden.

Combining this with the storage differentiation discussed above makes a strong argument for the possibility to use an American cloud provider for sensitive data processing.

Point 2: Mitigated with strong arguments before selecting cloud provider

I have always been a strong advocate for using cloud services and I love the flexibility and freedom given by AWS. Now is that said. Again! When reading the reporting and the concern about using AWS it is clear that the eSam recommendation to public authorities about the risk to use cloud providers that is subject to foreign laws, come into play. The eSam recommendation is about law interpretation and as a non-lawyer I will not step into that area. But one thing is clear. At least for me.

Not everyone agrees with eSam and their recommendations. Both SKR and respected IT lawyers disagree with eSam about the strong guarantees needed for a swedish authority to use non-swedish cloud service providers. This disagreement will most likely end up in court sometime.

What to do?

It is hard to give general advice due to legal implications. But I think a good idea is to consider starting an investigation about the suitability of using large cloud providers for a selective set of data. And carefully document every step in the process up to a decision of which one to use. It is a better way to ask yourself if the cloud is suitable for you, instead of claiming that it is not, based upon fear.

What shall I think when discussing the suitability of cloud usage?

One way is to start reading my blog post where I argue why the question “Is The Cloud suitable for me?” is better than “Is The Cloud Secure?”. It is a  discussion of cloud security from a business benefit perspective –  https://tiqqe.com/is-the-cloud-secure/.

And then it might be of interest to evaluate if a Cloud First Strategy can be something for you. What I mean with a Cloud First Strategy (CFS) is available in my blog post – https://tiqqe.com/we-all-need-a-cfs-you-too. In the post, I argue that it is all about creating a cloud positive mindset.

AWS

Something worth bragging about!

Last December TIQQE was awarded the AWS Advanced Partner status for the second time. Second time? Nothing new there. So what are they bragging about. We brag because it’s of strategic importance for us to hold the AWS Advanced Partner status to be able to support you all, in the best way possible. And of course, just to be able to brag about the achievement. Why you may ask yourself? Allow me to explain.

As a partner, not only to AWS, but also to our customers. We want to be relevant as an AWS expert partner, not just a partner providing resources. A strategic and important steppingstone on this journey is the Advanced Partner status. The Advanced Partner status opens up several different competence tracks inside AWS for a partner company like TIQQE. When we seek to deepen our knowledge in AWS for the benefit of our customers. Not having the Advanced Partner status will keep these tracks closed for an AWS partner as well as their customers.

What does the Advanced Partner label say about TIQQE? The Advanced Partners status is nothing you get without a track record. It shows that a partner company has a proven track record in providing business value on the AWS platform for its customers.

To be awarded an AWS Advanced Partner status, a partner company needs to prove for AWS that they have:

  • Documented and public testimonies from customers about what kind of business value they have contributed with.
  • Several named individuals that have reached a certain level of technical and business certifications on AWS.
  • Good and documented relationship with AWS customers.
  • A drive to continuously improve the knowledge in the AWS platform.
  • Capability to develop the business value of their customers AWS investments.

And we need to do this over and over again. And we cannot do it without asking our customers to contribute. Therefore we need to continuously develop our partnership with our customers in order to motivate them to helping us keeping the Advanced Partner status with AWS. We think this is a win-win-win situation. 

I dare to claim that if you truly looking for an AWS partner, you shall not accept anything less than one that holds an AWS Advanced Partner status. So why not select one that brag about it? Welcome to contact us!

Cloud strategy

We all need a CFS – you too!

My own datacenter or move to the cloud? That’s the question. A “close call” some say. A “slam dunk” for the cloud I say. The question was perhaps relevant five years ago, but not today. Today the question should be; Why not in the cloud? The first step is a Cloud First Strategy. No more excuses. You have the recipe here.

There is much that suggests that a Cloud First Strategy – a CFS in TIQQE language – is the best for all companies and organizations. But what does a Cloud First Strategy actually mean?

For us at TIQQE, it simply means that if there is an opportunity to use the cloud and there are no barriers of the type of legal, technical or unreasonable customer requirements, then it is the cloud that rules. Pronto. Period. Basta! When you five years ago had to argue repeatedly to move something in to the cloud and often got a NO. Today it should be just as difficult to get a YES to stay in your own data center without overwhelming evidence that it benefits the business and facilitates the customer experience.

Classic arguments against the cloud that it is expensive and that the cloud is not secure are today arguments that should be heavily questioned when presented. TIQQE has covered these two arguments, opinions or myths into two blog posts; Is The Cloud Secure? and The Cloud is Expensive.

If we go back to the question posed above; What does a Cloud First Strategy actually mean? In this blog post I will sketch the foundations of a Cloud First Strategy (CFS). All a result learned together with our customers over the years.

The CFS (and for the last time – Cloud First Strategy) is by nature something to follow when creating some new systems or services or when refactoring older legacy systems or services. It’s an important strategy to have when moving away from an on premise IT environment, to a cloud-based one. It helps to manifest ambition and direction and give guidelines in decision making. But it also stands entirely on its own for new development of systems and services. Whatever the case, it is an important tool for establishing a Cloud First mindset and point out the direction.

When creating your CFS, it is basically one question that must be answered first. It is about the degree to which the new service or system has the potential to differentiate you (give you competitive advantages) in the marketplace vis-à-vis competitors and other industry players.

In a CFS, there are two principles that will guide you in finding the answer on that question. If the service or system you consider to develop or want to refactor:

  • does not differentiate you in the marketplace, you should choose to BUY SERVICES IN THE CLOUD to solve the task (so-called SaaS – Software-as-a-Service)
  • differentiates you in the marketplace you should choose to BUILD IN THE CLOUD to create your own ability to focus on the business benefit and the power of innovation in your business that the cloud provides

As stated above, there are two different ways to answer the question. But both paths lead to the cloud. A true CFS. But a CFS cannot work in a vacuum. It must also work for companies older than ten years and who were not cloud native when founded. To supplement, some type of guidance is needed in order to help making the right decisions. This priority staircase can look like this. It is listed in the order you should consider the different options when making decisions.

  1. SaaS (Software-as-a-Service) – Always start with this option and choose a SaaS solution for the system or solution you are considering if it has no potential to differentiate you in the marketplace. The SaaS option is the preferred alternative for non-market differentiating applications. Can be about internal support systems for standardized processes as well as parts of solutions that are close to customer experience but which have no potential to make the customer experience unique.
  2. Greenfield – This is the preferred alternative in the CFS when you considering systems and solutions where building unique customer experiences has a potential to differentiate you in the marketplace. Best done by building directly for the cloud with agile development methods and self-sufficient DevOps team. All in order to maximize the innovation speed and utilize all the benefits of building for the cloud and create agility and resilience towards market changes.
  3. Data Center Expansion – Applications developed by teams that need operational support or where close integration with on-premises is needed. The expansion in to the cloud is the preferred choice in this alternative.
  4. On Premises – Only an option that shall be considered if there are legal, technical or customer requirements that makes it impossible to utilize the cloud. An advice is to see this alternative as the last resort. Requirements can be discussed with the other parties in general.

By basing a CFS on the above principles and priorities, we capture not only the appealing features of the cloud that Cloud Native companies benefit from all ready from start, but also the complexity that every organization has that was not founded when Cloud Native was the tune.

For me, it is obvious that every organization that wants to be relevant in their marketplace in three to five years must have a CFS established. Why not do it now and take the lead in your market today. Instead of standing left behind when the train leaves the platform! No excuses. You have the recipe above!

Cloud security

Is The Cloud secure?

We talk with a lot of customers and the two questions, or opinions, we meet frequently is; The Cloud is expensive and The Cloud is not secure. We cover the economical part of The Cloud in a separate blog post, this post will dive into the question whether or not The Cloud is secure. It’s an interesting question, but in general wrong. A better question is; “Is The Cloud suitable for me?”

When facing the question or the statement “The Cloud is not secure!”, meant to close the discussion. I try avoid answering. Instead I turn the question around. “Do you think that your business will benefit from shorter time-to-market, higher speed in business innovation and meeting customer expectations, less upfront investment for IT equipment and a competitive edge towards the rest of your industry?” If only the answer hints off a Yes. I reply; “Then we make The Cloud secure for you!”

The Cloud is secure enough

Normally when talking about The Cloud we often mean the big Public Clouds provided by companies like Microsoft, Google, AWS, AliBaba etc. Today they all have built in services similar to traditional on-premises security controls but with other names. In many cases with built in capability to provide traceability and transparency that facilitates monitoring and compliance evidence.

Source: http://www.eventid.net/docs/onprem_to_cloud.asp

This makes it possible to get at least the same security level in the The Cloud as on-premises. What’s needed is likely a changed skill set in the organization when operating in The Cloud.Another very important thing to understand about The Cloud is that the responsibility “up” there is shared. But it’s not shared in an obscure way. It is very well defined. The cloud provider is responsible for the security OF The Cloud and the customer is responsible what’s IN The Cloud. Shared, and crystal clear. If google “shared responsibility model” you got millions of hits and can check yourself what it means for a specific cloud provider. I give AWS view as an example below.

Source: AWS Shared Responsibility Model

If we apply the above on two use cases, the responsibility works according to the following. If you choose to use The Cloud as a:

  • virtual datacenter and install some virtual computer with relational databases and additional softwares. You are responsible for the security of the operating system on the virtual computers you installed, the update of the database engine and additional softwares as well as the data you are putting into the database. The cloud provider is responsible for the virtual Datacenter and you for everything you put into it.
  • virtual service center and selects a high level database service or a full fledge cloud based business application (SaaS), such as Salesforce. You are responsible for the data you put into the services. Not the computers and the software the services are running on. That is the the cloud provider’s responsibility.

The consequence is that the customer decides and are in total control of how secure their part of the responsibility shall be and the cloud provider about their part. The way the cloud provider commit is via certification towards recognized standards such as ISO-27001/2, HIPAA etc etc. and that they maintain their certifications and continuously publish reports of compliance.

The responsibilities are clear and the tools are there to make The Cloud as secure as needed.

If The Cloud is suitable, is a business decision

But in order to understand why I think the question should be “Is The Cloud suitable for me?” We need to take one step back. What is it that actually shall be secured? It’s normally not the computers in the data centers or the software on them we talk about.

We want to secure the information we put into them, and the capability to process it and utilize it for the benefit of our business. We want to make public only that information that shall be public, and keep the rest hidden for the public. But accessible for the right audience at the right time. 

The question left to answer is. Are we allowed to put the data in The Cloud. If the answer is “No” then the The Cloud is not suitable even if it can be secure enough from a technical perspective. But if the answer is “Yes”, partly or fully, then The Cloud is a competitive candidate towards on-premises.

What kind of requirements can forbidd a organization to put their data in The Cloud. I see to major groups of requirements:

  • Legal requirements
  • Contractual requirements

Legal requirements are hard to challenge. But contractual ones can be discussed with the other parties. So in order to answer the question if the The Cloud is suitable, we need to know what the law say and what contractual requirement we have for the specific set of data we plan to move to The Cloud, and of course the processing of it.

When we know that, we not only understand if The Cloud is suitable. We also have information enough to select a suitable cloud provider. For the set of data that is not allowed to be moved to The Cloud. On-premises operation might be the only choice left.

An embryo to a Cloud First strategy

Doing this exercise we have turned the question of “Is The Cloud Secure?” to a normal business decision about balancing business benefits and business risks. At the same time we have created the first embryo of a Cloud First strategy. That’s not bad.

Besides security, another common opinion about The Cloud is that it’s expensive. Read Anders Erikssons blog post “Cloud is expensive”.