In the past, cloud adoption by many organizations was directed towards a “cloud first” strategy, meaning that new applications would be built for cloud deployment. However, in the wake of the pandemic, many have pivoted to a “cloud now” approach. What does this mean in the greater scheme of corporate security?
In the latest episode of the Thales Security Sessions Podcast, Vaughn Stewart from Pure Storage and I discuss some of the caveats for companies who are shifting to the cloud.
Personally, I have been working in the field of encryption and cryptography for more than 25 years, and during this podcast, I really enjoyed discussing some of the more important ideas about how encryption in the cloud brings new challenges.
Vaughn brings infrastructure technology expertise to the discussion, having spent more than 20 years in the industry. Vaughn states that he believes that the cloud now approach will be less active in a post-COVID world, and the current rush to move to the cloud may be lightened by the return to traditional office environments.
It seems that during the pandemic many established companies accelerated their commitment towards increasing cloud operations. Even though many traditional corporations were forced to work with cloud technologies during the pandemic lockdowns, there are some signs leading Vaughn and I to believe that these organizations may repatriate some of their systems in the future, or make an increasing use of hybrid technologies to gain benefit from both deployment models. Why would a company need to do that, especially with all of the out-of-the-box controls offered by cloud providers? I think you will find we have some interesting perspectives on these behaviors.
When thinking about encryption, I point out that encryption, while an excellent protective mechanism, transfers the risk from the data to the encryption key. Other encryption considerations for moving to a cloud environment include key management. For example, while key management and control have always been the most important considerations when working with encryption, these topics present new challenges and important concerns in a cloud environment. How involved and complicated can this be? Does encryption create greater risks than the old data management worries?
Sometimes, companies underestimate the size and emphasis of a zero-trust model. Who should be responsible for this in the cloud? Should it reside with the application developers? After all, applications make API calls to one another…but there is more to zero trust than just a collection of API controls. Conversely, is zero trust more of an infrastructure responsibility?
Responsibility and liability also come into play in a cloud shift. It’s been stated before, but many companies must be reminded that moving to the cloud does not insulate them from the liability if a breach occurs. A corporation’s security posture does not automatically increase when moving to the cloud. Poor security hygiene tends to move across platforms, so it is important to be aware of where a company is in their security journey. Is it actually possible for a company to become less secure when moving to the cloud?
During this lively discussion, Vaughn and I offer some practical advice and questions for mitigating the risks with operating in the cloud, including:
- A careful assessment of an organization’s current security architecture.
- Is the organization ready for an architectural change?
- Will a cloud adoption change the company’s workflow?
- Can you accurately predict the functionality and costs?
Listen to the Thales Security Sessions podcast, “Episode 7: Adoption of Cloud Technologies Part 1” to see how we answer many of the questions surrounding cloud adoption, and to hear our thoughts on other steps that every organization should consider, whether contemplating a move to the cloud, or further securing a cloud presence.