Where are Swedish organizations in terms of cloud adoption? How far have they come and are anything holding them back? Listen to Malin Andersson and Anders Eriksson giving their view of where the market is today.
The talk is in Swedish.
When facing the question or the statement “The Cloud is not secure!”, meant to close the discussion. I try avoid answering. Instead I turn the question around. “Do you think that your business will benefit from shorter time-to-market, higher speed in business innovation and meeting customer expectations, less upfront investment for IT equipment and a competitive edge towards the rest of your industry?” If only the answer hints off a Yes. I reply; “Then we make The Cloud secure for you!”
The Cloud is secure enough
Normally when talking about The Cloud we often mean the big Public Clouds provided by companies like Microsoft, Google, AWS, AliBaba etc. Today they all have built in services similar to traditional on-premises security controls but with other names. In many cases with built in capability to provide traceability and transparency that facilitates monitoring and compliance evidence.
This makes it possible to get at least the same security level in the The Cloud as on-premises. What’s needed is likely a changed skill set in the organization when operating in The Cloud.Another very important thing to understand about The Cloud is that the responsibility “up” there is shared. But it’s not shared in an obscure way. It is very well defined. The cloud provider is responsible for the security OF The Cloud and the customer is responsible what’s IN The Cloud. Shared, and crystal clear. If google “shared responsibility model” you got millions of hits and can check yourself what it means for a specific cloud provider. I give AWS view as an example below.
If we apply the above on two use cases, the responsibility works according to the following. If you choose to use The Cloud as a:
The consequence is that the customer decides and are in total control of how secure their part of the responsibility shall be and the cloud provider about their part. The way the cloud provider commit is via certification towards recognized standards such as ISO-27001/2, HIPAA etc etc. and that they maintain their certifications and continuously publish reports of compliance.
The responsibilities are clear and the tools are there to make The Cloud as secure as needed.
If The Cloud is suitable, is a business decision
But in order to understand why I think the question should be “Is The Cloud suitable for me?” We need to take one step back. What is it that actually shall be secured? It’s normally not the computers in the data centers or the software on them we talk about.
We want to secure the information we put into them, and the capability to process it and utilize it for the benefit of our business. We want to make public only that information that shall be public, and keep the rest hidden for the public. But accessible for the right audience at the right time.
The question left to answer is. Are we allowed to put the data in The Cloud. If the answer is “No” then the The Cloud is not suitable even if it can be secure enough from a technical perspective. But if the answer is “Yes”, partly or fully, then The Cloud is a competitive candidate towards on-premises.
What kind of requirements can forbidd a organization to put their data in The Cloud. I see to major groups of requirements:
Legal requirements are hard to challenge. But contractual ones can be discussed with the other parties. So in order to answer the question if the The Cloud is suitable, we need to know what the law say and what contractual requirement we have for the specific set of data we plan to move to The Cloud, and of course the processing of it.
When we know that, we not only understand if The Cloud is suitable. We also have information enough to select a suitable cloud provider. For the set of data that is not allowed to be moved to The Cloud. On-premises operation might be the only choice left.
An embryo to a Cloud First strategy
Doing this exercise we have turned the question of “Is The Cloud Secure?” to a normal business decision about balancing business benefits and business risks. At the same time we have created the first embryo of a Cloud First strategy. That’s not bad.
Besides security, another common opinion about The Cloud is that it’s expensive. Read Anders Erikssons blog post “Cloud is expensive”.
Kennet has more than 20 years of experience within the fields of security and compliance. He has worked as both CIO and as an expert consultant for several companies. In recent years, he has focused on the new General Data Protection Regulation and privacy, which is two of his favourite subjects.
As security is becoming more and more important for our customers when moving data and applications to the cloud, Kennet will be of great support to our customers. He will also be leading our AWS certification initiatives and consulting in our transition services.
Kennet will work out of Linköping and be a part of our distributed team.