Many organisations have accelerated their Cloud transformation plans, migrating from on-premises servers in favour of public, private, or hybrid solutions. There are certainly numerous advantages to this from a security point of view, particularly the Cloud’s inherent elasticity, resilience, and ability to respond to surges compared to on-premises servers. However, as with any aspect of cyber security, no one project will ever be able to fully secure against the full range of existing and emerging threats. Migrating to the Cloud does not absolve you of your responsibility to both your corporate data and that of your customers, and it comes with its own set of security challenges that must be factored into your wider security posture.
Firstly, the data centre environment itself should be considered. Even data stored in the Cloud is subject to local data sovereignty laws, so the exact location of the hosting environment must be confirmed before the migration process begins. All compliance and governance compliance of this sort must be treated with the same seriousness they would with on-premises infrastructure.
But beyond your own security and compliance, it’s important to remember that Cloud, by its very nature, is shared infrastructure, with multiple organisations making use of servers within the same data centre It is essential any data centres used to host your Cloud infrastructure have measures in place to ensure full tenant separation, so one organisation’s security vulnerabilities do not present a hidden risk to other tenants. Indeed, the ISO27001:2022 standard now includes a control around ‘Use of Cloud Services’, which requires a Cloud Service Agreement (CSA) to be in place between the organisation and its Cloud provider.
But the security of our Cloud environments is not just the data centre’s responsibility. Current cyber best practice should be followed at all times, just as with on-premises servers. All operating systems should be kept fully up-to-date and boundary protections measures (e.g. firewalls) maintained, along with Multi-Factor Authentication (MFA) for all admins and users.
Cyber Essentials/Cyber Essentials+ is a good baseline in this regard, but should be built upon, with regular testing and auditing of all Cloud infrastructure to ensure its security ecosystem remains fit for purpose, and cyber best practice is being adhered to by all end users.
By following this model, Cloud transformation will not only yield all the potential benefits in terms of efficiency, scalability, and cost control, but also help drive ongoing improvements in cyber security best practice.
If you’re concerned about your own Cloud security, your compliance and governance obligations, or any other aspect of your digital journey, get in touch. Modern business is interconnected in ways that would have been inconceivable just a decade ago, and that means it’s our collective responsibility to maintain the very highest standards of cyber security – not just for our own organisations, but for our customers, end users, and the public as a whole.
“No Cloud is an island” – Superior cyber security through responsible Cloud transformation
Maintaining effective cyber security while accessing all the potential benefits of Cloud transformation, along with full compliance with all applicable data protection regulations.
