We continue with the second part of this analysis, which addresses the topic of the cloud and develops concepts about the security and implementation of this kind of technological tools.
By Gigi Agassini, CPP*
In the first part of this article, published in the previous edition, we highlighted the birth of the cloud, its development, service models and some current concepts. Now it's time to look at the deployment models for cloud computing and the risks to be taken into account in the adoption of this technology.
As mentioned in the NIST (National Institute of Standards and Technology) definition, there are four deployment models for cloud computing:
1. Private cloud. In this deployment model, the cloud infrastructure is provisioned for use by a single organization, made up of many consumers, such as business units.
2. Public cloud. This cloud infrastructure is provisioned for open use by the public. The public cloud provider may offer a limited number of configuration options, such as data location, service and performance levels, backups, and disaster recovery.
3. Community Cloud. This cloud deployment model serves a community of consumers from organizations that share interests. It can be hosted and managed by a community member or by a third party.
4. Hybrid cloud. A hybrid cloud is simply a combination of two or more distinct cloud infrastructures (private, public, community) joined together to achieve data portability or processing between the element.
Although virtual private cloud is not specifically mentioned in NIST's list as a deployment model, there is the concept of virtual private cloud (VPC) that is worth defining. VPC is a set of resources allocated within a public cloud infrastructure, but with enough isolation from other public cloud users to mimic the characteristics of private cloud infrastructure.
Cloud Risks
While the cloud offers numerous benefits, it also comes with certain risks that organizations and individuals should be aware of when adopting this technology, including:
- Data security and privacy
- Availability and downtime
- Regulatory and legal compliance
- Data leaks and loss of control
- Unforeseen costs
- Vendor lockout
- Latency and throughput
- Governance and control
All of the above risks can be mitigated with proper planning and management, including carefully choosing cloud service providers, implementing robust security measures, and fully understanding the terms of the contract. However, there are still many doubts about the security offered by the cloud, which undermines confidence in it.
The truth is that cloud security refers to the layers of protection and measures that are implemented to safeguard data, applications, resources, their environment, certifications and all this will vary depending on the provider, type of service, among others. Let's not forget that cloud security is a shared responsibility between the cloud service provider and the customer.
But what about cloud and cybersecurity? So many reports that talk about the different cyberattacks and security breaches that only grow disproportionately worldwide, which generates many doubts and little confidence in the security of migrating to the cloud or starting this process.
Implementing a governance, risk, and compliance (GRC) program is sometimes thought of as bureaucracy that gets in the way of cybersecurity work, however, it helps lay the groundwork for meeting security goals.
The three components of cybersecurity (people, processes, and technology), with a programmatic and scalable approach, are essential, so an effective GRC program will help achieve the goal and ensure that a holistic view is taken in the never-ending mission of cybersecurity.
Although governance, risk, and compliance are often considered separate functions, there is a symbiotic relationship between them. The government sets the strategy and guardrails to meet the specific requirements that align and support the business. Risk management connects specific controls to governance and assessed risks, and provides business leaders with the information they need to prioritize resources and make informed decisions about risks. Compliance is the adherence and monitoring of controls to specific governance requirements and with continuous monitoring, the feedback loop regarding effective governance is closed. Security architecture, engineering, and operations are built on the foundation of GRC.
Without a GRC program, people tend to focus solely on basic technology and processes. The breadth and depth of a GRC program varies with each organization. Regardless of its simplicity or complexity, there are opportunities to transform or scale that program for the adoption of cloud services, emerging technologies, and other future innovations.
However, there are basic requirements that each part of the GRC program must meet, governance must identify compliance requirements, conduct program evaluation, and update and publish policies, processes, and procedures; While risk management should conduct a risk assessment using pre-established threat models that can help simplify the process of assessing risks, both initial and updating, it should draft risk plans, authorize systems, and incorporate risk information into decisions; Finally, compliance must monitor compliance with security policies, standards, and controls, continuously self-assess, respond to events and changes in risk, and communicate events and changes to risk.
Governance should be goal- and capability-based, including context risk in decision-making and automating monitoring and response.
Don't forget that the cloud has enabled emerging technologies such as the Internet of Things (IoT), large-scale data analytics, machine learning, and more, as time progresses, the cloud is likely to continue to evolve to address new challenges and opportunities in the world of technology and business.
He has helped companies and individuals convert infrastructure costs from a large capital expenditure, upfront, to a "pay-as-you-go" operating cost. It allowed many startups to take off quickly while reducing the amount of cash required to set up the initial infrastructure. Companies that adopt a cloud computing model will swap initial capital costs (CAPEX) for recurring operating costs (OPEX).
In short, cloud computing is an alternative to installing and maintaining the resources of your physical computing infrastructure. There are different service models and different deployment models, each of which meets a different set of requirements and constraints.
Cybersecurity and the cloud are inextricably linked in today's digital world. As more businesses and individuals adopt cloud services, it's critical to recognize the associated risks and opportunities. Implementing robust cybersecurity practices, such as multi-factor authentication, data encryption, and user awareness, is essential to ensuring the integrity and confidentiality of our data in this ever-changing environment. By embracing technological innovation and maintaining a proactive approach to cybersecurity, we can better protect our digital future in the cloud.
If you're still thinking about migrating to the cloud, do your research and learn about the providers, services, and security levels that meet the needs of your business, or you as an individual. Explore cloud solutions and start using them; It's always a good time to do it.
See you next time!
* Gigi Agassini, CPP
International Security Consultant
GA Advisory
[email protected]
