Why the cloud has a silver security lining…

Giles Baxter, Open GI’s Chief Information Officer, discusses how moving to cloud hosting really could be the best security move you will ever make for your business.

There has been, and will continue to be, widespread coverage across the national media of high-profile brands being hit by cyber-criminals – from huge players like British Airways through to retailers such as Furniture Village and even, quite recently, insurer CNA Hardy. However, the reality is that SMEs – including brokers – are just as exposed to ransomware and extortion as the bigger players.

Cyber often feels like an intangible threat, but the impact of an attack is very real. According to the Government*, among the businesses that identify breaches or attacks, one in five end up losing money, data or other assets. And one-third of businesses (35%)** report being negatively impacted because they require new post-breach measures, have staff time diverted, or suffer wider business disruption.

But, there is a different way, and the additional protection from cyber-attack that could be made by moving your business to the cloud is well worth evaluating.

* gov.co.uk: Cyber Security Breaches Survey 2021
** IT Governance Blog: List of data breaches and cyber-attacks in June 2021

Secure in the cloud

In simple terms, when your applications are running in the cloud, all your software applications, data storage and services run on infrastructure provided by your cloud provider. In most cases the cloud provider will have made significant investments securing that service from cyber-attack; far more investment than all but the very largest organisations make. Microsoft, for example, invest over $1 billion annually in security and employ 3,500 cyber security experts.

So, by running your applications in the cloud, you inherit the investment that your cloud provider continues to make, keeping it secure against the ever-changing cyber security threat landscape. These investments typically include:

• Sophisticated multi-layer cyber security architecture and tooling used to prevent, detect, and respond to cyber-attack more efficiently than ever.
• 24x7x365 monitoring and response capability, so they can react no matter when an attack is launched.
• Embedded processes to ensure that security is maintained against all the latest identified security vulnerabilities.
• Teams of highly trained specialists, with scarce and valuable (read expensive!) skills.
• Industry standard certifications, including ISO27001, providing external validation that their cyber security capabilities are operating effectively.

On its own this bundle of capabilities looks attractive; particularly as ensuring the operability of your systems and security of the data held on them is non-negotiable. The increase in business transacted online, a trend accelerated by COVID, means this has never been truer than it is today. When you remember all that is on top of the other benefits that moving your business to the cloud can offer then the case for cloud, and the security you inherit with it, makes even more sense:

• Speed of deployment.
• Scalability of compute and storage.
• Reliability and availability of applications.
• Reduced management overhead and less external tooling requirements.
• Accessibility, over the internet anytime, anywhere, on any device.
• Disaster recovery, and the ability to backup and restore data with ease.

A stronger security model than your own budget allows

It is true that all of this can be achieved yourself on your own infrastructure solution, if all these cyber security capabilities are built in-house. We are seeing cyber threats increasing in sophistication and voracity, and with it the cost of mitigating them is correspondingly rising. As this escalates, the point at which it makes sense to hold these capabilities in-house becomes increasingly prohibitive.

With the dissolving perimeters that are present within modern day application architectures, the skills, tooling, and experience required to secure your platform changes. Traditional environments usually control access by using a perimeter security model, but modern environments are highly connected, making it easier for traffic to bypass traditional perimeter defences. Preventing unauthorised access therefore requires shifting to a data-centric security approach but the cloud providers do most of this work for the consumer.

Isn’t it time you evaluated whether it still makes sense to hold these skills in-house, or leverage the significant investment cloud providers make to do this for you?