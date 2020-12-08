What are the benefits and challenges of accelerated cloud adoption? How can it impact any organisation’s existing security strategy?

Saad Ouchkir: While organisations have been turning to public cloud for cost saving and the agility offered by managed services on public cloud platforms, we see more organisations considering public cloud for its security capabilities. In fact these organisations are realising that the economies of scale allow cloud providers to invest more in people and processes to help deliver a secure infrastructure.

Organisations can build a robust security posture by leveraging security capabilities that are available natively on their cloud platform of choice and building their own security processes on top of it to make sure that they offer the best security for their customers.

How can organisations avoid common security mistakes when they move to the cloud?

SO: It’s very important to understand the shared responsibility model that’s offered by cloud providers. While these providers offer state of the art security for the underlying infrastructure that their customers are using, it’s the customer’s responsibility to use security features and best practices offered by their cloud providers to secure their data.

To give you an example: Cloud providers offer identity and access management capabilities as well as multi-factor authentication to secure access to the data stored on their infrastructure and allow their customers to control who has access to what, but if the customer doesn’t use these capabilities they might put their data at risk.

With working from home becoming the new norm and the ubiquity of SaaS applications, it’s very important to educate both security administrators and end users on the importance of security.

What are the different ways to enhance cloud security for mission critical business applications?

SO: When using public cloud for your mission critical business applications you benefit from a robust infrastructure and reliable SLAs that boost the performance. When it comes to security, there are things that you need to pay attention to. Your data must be encrypted all the time, at rest when the data is stored on the disks and in transit when data is transferred. At Google Cloud we have introduced Confidential Computing, which allows our customers to encrypt the data even while it’s being processed.

As more business applications are hosted in the cloud, it’s very important to shift access controls from the network perimeter to individual users and devices using the zero trust security model. We’ve been using that model for years internally at Google and we recently made our implementation of zero trust available to our customers allowing their employees and contractors to access mission critical business applications remotely without the need for a traditional VPN.

Please highlight the key compliance challenges when operating in the cloud.

SO: When moving to the cloud organisations have the double challenge of protecting sensitive applications while achieving and maintaining compliance with regulatory and industrial requirements. For this reason, it’s important to choose a cloud vendor that undergoes several independent third-party audits on a regular basis to provide compliance with key international standards.

Regulations such as GDPR place significant emphasis on enterprises knowing how their data is being processed, who has access to data, and how security incidents will be managed. For this reason we have dedicated teams of engineers and compliance experts at Google Cloud who support our customers in meeting their regulatory compliance and risk management obligations.

One of the requirements that some regulated companies in our region have to comply with is the requirement to host customer data in-country. At Google Cloud we have designed a hybrid cloud technology called Anthos that allows our customers to benefit from the agility of cloud native technology while storing customer data on premise. We’ve partnered with Moro Hub, fast growing cloud service provider and one of Digital DEWA companies, to host workloads in their Tier-III Green Data Centre in Dubai using Anthos.

Securing cloud is a priority for both cloud-natives and those embarking on their cloud journey. How will their cloud security strategy be similar or different? Further, what does this strategy look like?

SO: Cloud native companies have the advantage of starting with a clean slate. They don’t have legacy systems that they need to maintain. This allows them to use cloud native technologies with built-in security features.

This doesn’t mean that other companies can’t make use of the cloud in a secure way. At Google Cloud we make sure to meet our customers where they are. We run assessments to understand their current state and we help them throughout their cloud journey.

We designed a Cloud Adoption Framework to help our customers move to the cloud with confidence. It articulates around three components: People, Processes and Technology and focuses on key capabilities that organisations need to develop in order to succeed in their cloud adoption. Two of these capabilities that I find essential are upskilling IT staff and building a secure landing zone for their applications in the cloud.

Are there security gaps in cloud platforms that cyber attackers may leverage?

SO: Cloud providers put a lot of effort into building state-of-the-art data centres and the most sophisticated security systems and processes. At Google, security is part of our culture, all employees receive ongoing security training throughout their Google careers. Our dedicated security team includes some of the world’s foremost experts in information, application and network security. We specifically built a full-time team, known as Project Zero that aims to prevent targeted attacks by reporting bugs to software vendors.

The shift to remote work has created an opportunity for cyber attackers to target users through increasingly sophisticated phishing attacks that try to steal their passwords. For this reason we encourage our customers to use phishing-resistant physical two-factor authentication devices like security keys that use public key cryptography to verify a user’s identity.

How can organisations ensure the implementation of the right security architecture to withstand such attacks?

SO: An organisation’s security posture is only as strong as its weakest link. As we work with our customers, we help them tailor a security solution that covers multiple aspects: Technology of course, but also their processes and people, increasing awareness of phishing, and helping the users to identify such attacks is important. We also encourage our customers to make the use of anti-phishing two-factor authentication devices compulsory for all their users.

And when designing their remote applications access, we encourage them to shift their access controls from the network perimeter to the use of “zero-trust” paradigm where no network device is trusted by default, even if it’s connected to the corporate network.

