• United States




What to think about when moving to the cloud

Sep 19, 20167 mins
Cloud ComputingCloud SecurityData and Information Security

Industry leaders offer insights on cloud security, compliance concerns, dealing with legacy systems, and more

cloud question
Credit: Thinkstock

Well, it’s 2016, and a few years ago Gartner reported that “By 2016, poor return on equity will drive more than 60 percent of banks worldwide to process the majority of their transactions in the cloud.”

Enterprises across all sectors are either in the cloud, transitioning to the cloud, or thinking about making the idea of cloud a reality. 

For those who are preparing to make the move, there are a variety of concerns to consider and plan for in order to make for a smooth transition. In addition to deciding on the right cloud provider and whether to go with a private or a public cloud, CISOs also need to think about implementing solutions for controls on access, encryption, legal and compliance issues.

Russell Stern, CEO of Solarflare, said that many financial institutions are building private clouds because they buy so many computers that going to Amazon or Microsoft doesn’t save them any money.

Of greater concern than cost, though, is putting client data out into a public cloud. “The security of that has not been solved. A lot of companies talk about hybrid cloud, and they can put the less sensitive data in the public cloud infrastructure,” Stern said.

Whether they choose public or private clouds, the decision to move to a cloud must be centered around security. “We are being attacked so hard from nation states that the public cloud is not sufficient in security for the kind of protection these institutions need. With the public cloud, they are not exactly sure where it is,” Stern said.

Many agree that the public cloud environment has too many unknowns, especially for those enterprises that have to worry about compliance issues. For financial institutions, “The biggest concern is having a third party, which doesn’t have to be an outsider, capture your transactions in a place that is separate from the environment running the application so that you can forensically look backwards,” Stern said.

Another question that should be considered before making the idea of cloud a reality is whether the cloud is a better alternative to the current IT system infrastructure. If the answer is yes, the question to follow should be how organizations can integrate their current systems with the cloud.

For most legacy systems, cloud is a worse alternative, Stern said. “For modern applications, moving into cloud is easier. But there are companies that have five to 10,000 legacy applications that were written 20+ years ago.”

In either a private or a public cloud, they need applications to behave a certain way. Unfortunately, it’s not always possible to move legacy. A workaround that will require change over a long period, said Stern, is if they put what they can in their private or public cloud until they are able to examine which ones are worth rewriting. 

Before making the move to the cloud, Alex Hamerstone, GRC practice lead at TrustedSec, said, “Settle on a definition of what the cloud is. It’s really just someone else’s computer. A computer that’s not yours. You should know why you are you moving to the cloud. What are the advantages? Is it cost or that it is easier to maintain?”

While cost is often cited as a reason for making the move to the cloud, for larger enterprises the cost of protecting all of their users can actually increase.

Gunter Ollmann, CSO at Vectra Networks, said, “Instead of buying hardware and appliances with a three-to-five-year depreciation lifecycle, they are buying a service. They are now paying, typically, based around number of servers or users being protected. Their security spend can change drastically in Capex and Opex.”

For example, if they want to firewall their organization today, they could buy a $15,000 firewall and deploy it. “They don’t care about how many users they have in their environment. When you shift to cloud, firewall spend will be based on the number of users using the cloud. The number of users protected will change the cost considerably,” Ollmann said.

Contracts are extremely important, and they should understand the service-level agreement and be aware of any financial considerations for whether the provider fails to meet the SLA. “Someone once told me, it doesn’t matter who’s liable it matters whois collectable,” Hamerstone said.

Where is the data located?

Enterprises also should be asking exactly where–physically–their data is going to be located. “That can affect your regulatory requirements. It’s definitely a red flag if the providers don’t know. They should have assurance that it’s in a certain facility or area,” said Hamerstone.

More providers are able to give those assurances as data centers are being erected across the globe in different areas to provide cloud services because laws and regulations are complex. “EU countries don’t want their data leaving the EU, so it is easier to set up a data center in the EU,” said Hamerstone.

An established provider, said Hamerstone, has already addressed the security questions that worried security practitioners a few years ago. “They will be able to tell you what types of security controls they have in place. Ask them if you are being hosted on your own instance so that you’re not hosted in the same cloud as three other companies. That way, you can’t access someone else’s data and they can’t access yours.”

In terms of security controls, they should treat the cloud as they do the server down the hall, Hamerstone said, “If you have to encrypt in the server down the hall, it has to be encrypted in the cloud.”

One glitch to look out for, though, is licensing agreements. “Software companies will often make more money off of fines for having stuff in the wrong place. If you are moving the application, make sure you are moving the license as well,” Hamerstone said.

Organizations that are making the transition will also need the same classes of security technology that they have employed inside their own infrastructure, whether it’s IDS or data leakage, they now require virtual versions of those to be deployed in there.

“They should ensure they still have the same technology and visibility of their traffic. Some will find they need to look at alternative vendors for their cloud security. Many traditional vendors do have some virtual appliances, but in general many of the newer security companies have focused on cloud and have much more mature security cloud based products,” Ollmann said.

Many enterprises still have reservations about moving to the cloud because they fear a loss of control in the virtual world. In reality, though, the cloud does exist in some physical space. This notion of no longer worrying about physical security is, according to Ollmann, a blind spot happening in cloud.

“They are still on a physical infrastructure and the physical infrastructure needs to be secured. It’s difficult to monitor the physical security of a cloud provider to detect vulnerabilities that are within the physical infrastructure,” said Ollmann.

Enterprises should ask about security assurances in the both the virtual and physical places where their data is stored to avoid the risks of these not so well known blind spots.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author