Transition from On-Premises to Cloud Systems
More and more companies are shifting from on-premises to cloud systems. This transition presents both data protection challenges – where to even begin? – and business implications such as vendor lock-in. However, the impact of cloud migration on IT security is a matter of debate.
The Role of CISOs in Cloud Migration
Chief Information Security Officers (CISOs) often drive many of these transitions. In a world of ever-increasing security requirements and shrinking staffing resources, outsourcing for the sake of (perceived or actual) competency seems necessary. This trend used to generate a high demand for security consultants like us. But often, the help provided was minimal, leaving companies with pre-chewed tasks from consultants that they were unable to handle, such as an 80-page gap analysis report haunting their nightmares. This, however, guaranteed repeat business for the consultants.
The Shift to Second Stage Outsourcing
Then came the second stage of outsourcing: instead of getting their security in order, companies started to outsource their entire hosting to firms that (hopefully) have a better security team than they do. And not to worry, consulting firms can continue to live large, as there are still deployments to plan and configuration errors to make.
The Promise of Turn-Key Solutions
But what about the “Turn-Key Solution,” the ready-to-go option? Indeed, companies like Microsoft, Amazon, Google, and others are likely to be better equipped in terms of infrastructure security than most. Google Drive is arguably one of the safest places for a document, provided one can tolerate the prying eyes of three-letter agencies and Google itself.
However, IT security isn’t everything. As demonstrated by significant incidents such as the severe hack at the Exchange host Rackspace at the end of 2022, the embarrassing leak at password manager LastPass around the same time, or the spectacular theft of a master key from Microsoft this year, even the cloud is not absolutely secure (surprise?). The last case is particularly interesting to me, as it reveals that Microsoft’s cloud has become such an attractive target that attackers are willing to invest years of preparation for an elaborate data exfiltration. Likely, small to medium-sized businesses caught up in such attacks are just collateral damage.
Unrealistic to Turn Away from Cloud Services
This centralization does have the potential to disrupt many ransomware attacks that are oriented towards on-premises systems. At the same time, it makes these large systems an increasingly appealing target, especially in sectors critical to national infrastructure, posing a potential risk: if an attack could take down an entire region like eu-central-1, it would have significant geopolitical consequences.
However, moving away from cloud services is unrealistic, particularly at a time when data loss or compromise has few financial consequences, yet availability does. And here, the cloud may not always shine but does so often. Who knows, perhaps this will soon prompt a CISO to decide on further migration of systems to Azure, into the blue? From a security standpoint, it’s hard to blame them.
(ur)