Story image

Cloud security: What you need to know before you make the move

06 Mar 2019

Recently IT Brief had the opportunity to talk to Petra Smith, virtual security consultant at Aura Information Security, about cloud security and how to best approach it.

To start off with can you tell me a bit more about yourself and your experience at Aura? 

Aura is an information security consultancy with offices in Wellington, Auckland, Sydney and Melbourne. Our team consists of more than 30 consultants that offer a wide range of services – from penetration testing, physical security, virtual security officer, and staff and developer training.

As a Virtual Security Officer, I work with businesses to help them understand their security risks so they can be more proactive in protecting what’s important to them.

The uptake of the cloud has skyrocketed over the past few years, what are some of the biggest benefits of moving to the cloud? 

Modern businesses need their IT environment to be flexible, powerful and reliable – and that’s where the cloud excels.

With a traditional on-premises setup, you’re limited by what your hardware and software can do. It takes a lot of time and effort to maintain that equipment and upgrade it as the business’s needs evolve. The cloud takes away a lot of those tedious maintenance tasks, which frees your IT team up for things that add value to the business.

The cloud also gives you access to the resources that you need so you only pay for what you use and can easily scale up when you need more storage, bandwidth or functionality. 

However, moving the cloud is not without risk, what are some of the biggest threats businesses should be aware of? 

The risks in the cloud aren’t really different from the ones you have in an on-premises environment. The cloud by its nature means that your IT systems are connected to the internet, where you don't have the luxury of things being protected by being hidden away so that people can't find them.

But on the other hand, that’s no longer how we do business. Customers expect to be able to get to your website and do business 24 hours a day and employees expect to be able to check their emails or work from anywhere at any time.

Popular cloud services like Office365 and G Suite are an appealing target for phishing campaigns – they can keep trying the same technique over and over until it works. You can’t afford to treat cybersecurity as “just an IT problem” in the cloud. Everyone in the business needs to know how to choose strong passwords, use multi-factor authentication and spot common scams.

What are some of the biggest misconceptions in your opinion surrounding cloud security? 

A lot of businesses who are new to the cloud expect it to be just like a data centre. In a traditional environment, security is about control. You can control who has access to your equipment, you control what it’s made of and how it’s configured, you control who’s allowed to do what. In the cloud it’s different.

In a cloud environment, security responsibilities are shared. You’re responsible for deciding what protection your data needs, and who should be able to access it. The cloud provider is responsible for keeping their facility and the physical equipment secure, and depending on the service they might take care of patching the software and keeping your data backed up, or leave that up to you.

Don’t just assume that your provider will take care of everything for you. Do your research and find out what they do to keep your data secure, and what parts you still need to look after yourself.

What are some cloud security best practices in your opinion? 

I think the single best thing that any business can do is start off with a plan.

Whether you're going to start with just one small project, like your public facing website, or if you're going to move your whole file storage, email and your business systems to the cloud, start with a plan for what you're going to put in there, what systems that's going to interact with, who's going to need to use it, and how they're going to use it. Then take that information to work out what level of protection you're going to need, and shop around for the right provider.

Security isn’t something you can just set and forget, so make sure you’ve got a clear idea of who will be responsible not just for setting things up correctly, but also for carrying out the day-to-day responsibilities like patching and monitoring your environment.

On top of that education is vital as well. When you're moving from a tightly controlled environment to the flexibility and freedom of the cloud, it's key that everyone in the business understands security risks and has the knowledge and skills to work safely.

Threats are on the rise, and security is something that can be complex and challenging to manage yourself. Sometimes, it’s best to call in the experts to help keep you on track. They bring an outsider perspective and are often better placed to provide insight and guidance when it comes to where, and how much, your business needs to improve its cyber posture.

Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
SAS partners with NVIDIA on deep learning and computer vision
“By partnering with NVIDIA, we combine our strengths to augment human intelligence and realise the true potential of AI.” 
Why businesses must embrace automation to ensure success
“For many younger workers, the traditional view of a steady job at one company, perhaps for life, simply doesn’t reflect reality."
Dropbox invests in hosting data inside Australia
Global collaboration platform Dropbox has announced it will now host Australian customer files onshore to support its growing base in the country.
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."