With new hybrid work practices being implemented as a result of COVID-19, more enterprises have moved away from on-premise tools and focused funds on digital transformation.

A key element of digital transformation is cloud migration. To take advantage of cloud services, businesses typically need to work with third-party cloud service providers. 

These host infrastructure, software and platforms within their own networks of data centres on behalf of their clients, allowing businesses to store data like files and emails without having to maintain their own on-premise environments. CSPs also facilitate the movement of data between ‘endpoints’ – such as desktops, laptops, servers – and CSP environments. 

In order to access the cloud, businesses only need a computer, operating system, and internet connectivity. 

There are a number of benefits to using cloud services. To begin with, there is an opportunity to transform the way that IT is funded, switching from capital expenditure (capex), requiring up-front investment in assets whose value declines over time, to operational expenditure (opex) which allows pay-per-use-consumption and billing for IT that is delivered ‘as a service’. 

Once a digital transformation has been enacted, businesses can also target greater flexibility within their IT environments. For example, it becomes relatively easy to both launch and retire applications and workloads within cloud environments.

This particular point has broader ramifications beyond IT and into organisations’ day-to-day operations. Cloud-based and app-driven workflows can start to automate business processes. This means businesses can start to think about benefits such as improved time to response, reduced cost of operation and reduced burden on employees as a result of cloud migration. 

For many global businesses, one of the main advantages of cloud computing is that applications and data can be accessed from anywhere in the world, which is vital in the era of mobile and remote employees. So, while you may have a headquarters in Paris, a worker can still access company applications and data through the cloud whether they are in Paris, Marseille or even Timbuktu, as long as they have an internet connection. 

Cloud at risk? 

When businesses are increasing their spend on the cloud, they must ensure their investment is protected. Despite its many benefits, the cloud is not infallible to security risks. For example, 81% of companies reported a cloud security incident in the last year according to a survey by Venafi. With an ever-growing proportion of corporate IT migrating to the cloud, the importance of protecting cloud environments has never been more evident. 

Identity theft is one of the most common forms of cloud attack. Once a hacker has an employee’s user credentials, they can gain access to the resources held in the cloud to which that user has access. This commonly happens when businesses have not carried out sufficient training to tackle insider threats. Without knowing how to properly conduct good cybersecurity hygiene, employees can unintentionally allow cyber criminals access to their company cloud systems. It is crucial that organisations ensure their workers are fully educated and aware of the risks of cyber security. 

With 38% of workers in Great Britain choosing remote or hybrid working in November 2022 according to a report by Statista, there are likely to be inconsistently updated or patched devices as workers are not in the office. When these devices access the cloud they add the risk of threat actors gaining unauthorised access through known vulnerabilities. 

Furthermore, with security teams having to manage office and remote workers they have to deal with greater pressure which can lead to mismanagement and losing control over cloud services. When operating a cloud service, security teams must ensure they uphold strict risk analysis as well as a roadmap and checklist.

Does legislation offer protection? 

The security risks posed to the cloud raise the question of who should take ownership of protection. Despite organisations being ultimately responsible for their data and the data that they hold on behalf of customers – known legally as being ‘data owners’, the General data protection regulation (GDPR) states that CSPs are considered to be ‘data processors’ and therefore must take joint responsibility for the protection of the data that they host on behalf of their customers – the data owners. 

However, it is important to note that, from a UK perspective, EU-based GDPR rules are being phased out in favour of the draft Data Protection and Digital Information Bill, which will apply in the UK. Whether the new primary legislation will detail the importance of the cloud and outline where the responsibility lies is yet to be seen. 

Could hiring an outsourced IT team solve your skills problem?

Best practice for cloud security

When an organisation migrates IT assets into the cloud, these are hosted within the CSP’s network with a set of built-in controls that ensure a level of protection against common cloud risks and human error. While CSPs have measures in place to protect areas such as virtual network infrastructure, routing, and security of storage devices, it is up to the individual organisation to enhance its security in accordance with the new realities of cloud computing. 

An important consideration when conducting a cloud migration project is that it cannot simply be a case of ‘lifting and shifting’ existing security controls into the new environment. Rather, tools and controls over on-premise environments must be extended and connected to also cover the cloud. In other words, cloud environments require their own security that stands alongside, and inter-links with, existing on-premise security tools, policies and processes.

With current legislation making it clear that both CSPs and their customers are responsible for protecting the cloud, the next question is: what is the best protection? On a basic level, CSP customers must ensure they have a backup in the event of data compromise (such as a ransomware attack), manage user access to the cloud, and put in place security controls. However, these alone are not an end-to-end solution. 

User awareness and security hygiene behaviour are a vital first step in any security programme. By educating employees to be aware of the risks, they will be less likely to fall victim to phishing or scam emails. These are significant threats as any security measures can be bypassed by a user clicking on a link that shares their credentials with a third party. Enforcing security training and implementing policies to counteract threat actors promotes a secure environment founded on security common sense. 

Zero trust

While user awareness is an important foundation, there are technical means to help build cloud security. A good approach to structuring this is ‘zero trust’ – which broadly speaking encourages organisations to trust nothing or no one, and to always verify access.

According to Thales, 60% of corporate data is stored in cloud services, up 10% from 2021. As the use of cloud migration continues to mount, so too will the exposure to security risk. These risks can be managed through the development of an appropriate cloud security programme, such as a zero trust architecture. Also note that CSPs share a joint responsibility for the protection of their customers’ assets in the cloud. However, while manageable, those risks cannot be eliminated. 

Cloud migration is a business decision, taken on the basis of the business benefits on offer. Benefits such as flexibility and scalability must be weighed against the erosion of visibility and control over corporate infrastructure, applications and data. 

However, with Thales’ data showing a rapid increase in the proportion of corporate assets held in the cloud, it is clear that a growing number of organisations see the benefits outweighing the risks.

Why cybersecurity should be on every board’s priority list