On prem and off prem environments have differing security requirements. It’s not as easy as just lifting and shifting a workload from one to the other: a new security model must accompany the move. We spoke with Unitas Global’s CTO and co-founder Grant Kirkwood about the security benefits a cloud infrastructure can provide for the enterprise.
UG Blog: If an enterprise does not have adequate security for their cloud, what risks do they run?
Grant: Doom and destruction! Catastrophe! (Laughs.) If your cloud is not secure, you get hacked, and someone can access data that they shouldn’t, and what happens from there depends on what the data is. For example, if a company moved their point of sale system from on prem to the cloud without updating the security model, someone could get in and steal all their user’s credit card numbers. Or if it’s a drug company, hackers can hack a drug formula and use it to potentially corner the market on the drug before the company could, and the company cloud lose out on tons of money. The risk is dependent on what the product is and what the data is.
If you’re going from an old, legacy, on prem environment straight into the cloud, what generally happens is the company’s data becomes more secure, not because cloud is inherently more secure, but because the surface area that can be attacked is smaller. What I mean by that is in most companies, IT grows legs and limbs that sprout over time as people [the number of employees] and applications grow over time. I’m talking about the person putting a WIFI router under their desk so they can use WIFI on their phone: that’s a potential inroad for hackers that bypasses company firewalls. The larger a company gets, the larger the surface area, or ways to get in. Moving workloads to cloud means there is only one way in and out, and that’s across the Internet. Cloud forces constraint of access to company data.
On the flip side of the coin, the security model fundamentally changes when it’s been moved to the cloud because it’s being accessed over a network. It used to be that for super secure networks where data absolutely cannot get out—like with the military—you air gap the network, which means that everything that’s on the network where data exists has no physical connection to the outside. No bridge exists from it into any other networks. Think of it as a computer sitting on the floor with no wires going to it, no Internet. If there’s no network connection, you can’t get to the data unless you’re sitting in front of that computer. The model of how you protect that data fundamentally changes when you put that data on a network. This is all to illustrate how the security model changes.
A lot of the time, [a workload] on premise that were used internally did not have many controls because they were not enabled for external access; everyone accessing it was inside the network and on premise. If that workload is moved to the cloud, access to that network is inherently opening to the outside.
UG Blog: What security benefits do managed services providers (MSPs) provide to their clients, particularly from a cost perspective?
Grant: Security professionals are very much in demand, among the most in demand in all of IT. And they’re generally at the top of the pay grade. Even entry level security people can command high salaries. The way companies mitigate this expense is by partnering with an MSP that has experience with connected hybrid cloud solutions—specifically connected hybrid cloud because hybrid cloud alone does not speak to the access part, which must be part and parcel to the solution—that has a bench of experienced security professionals. And by the very nature of it, the best talent is going to want to work for technology companies.
That CSP should have a suite of tools they use to monitor on a 24×7 basis what’s happening from a threat perspective. So, a SOC (security operations center) uses a SIEM (security information invent management) system to collect a flow of data and events coming from network and servers and all the devices in a client’s infrastructure or cloud instances. That flow is then sent through advanced filters that identify potential hack attempts and can be responded to in real time.
But for a company to set up all that infrastructure, you need top flight security engineers and enough of them to be running 24×7, and all of those systems collecting and analyzing that data in real time—that’s a whole bunch of infrastructure and cost that is a lot to handle unless you’re a giant company. That’s why many companies opt to partner with an MSP that has the resources and staff to properly manage security for multiple companies making it cost-effective for mid-sized companies to leverage.