itb-au logo
Story image

Cloud security: What you need to know before you make the move

Recently IT Brief had the opportunity to talk to Petra Smith, virtual security consultant at Aura Information Security, about cloud security and how to best approach it.

To start off with can you tell me a bit more about yourself and your experience at Aura? 

Aura is an information security consultancy with offices in Wellington, Auckland, Sydney and Melbourne. Our team consists of more than 30 consultants that offer a wide range of services – from penetration testing, physical security, virtual security officer, and staff and developer training.

As a Virtual Security Officer, I work with businesses to help them understand their security risks so they can be more proactive in protecting what’s important to them.

The uptake of the cloud has skyrocketed over the past few years, what are some of the biggest benefits of moving to the cloud? 

Modern businesses need their IT environment to be flexible, powerful and reliable – and that’s where the cloud excels.

With a traditional on-premises setup, you’re limited by what your hardware and software can do. It takes a lot of time and effort to maintain that equipment and upgrade it as the business’s needs evolve. The cloud takes away a lot of those tedious maintenance tasks, which frees your IT team up for things that add value to the business.

The cloud also gives you access to the resources that you need so you only pay for what you use and can easily scale up when you need more storage, bandwidth or functionality. 

However, moving the cloud is not without risk, what are some of the biggest threats businesses should be aware of? 

The risks in the cloud aren’t really different from the ones you have in an on-premises environment. The cloud by its nature means that your IT systems are connected to the internet, where you don't have the luxury of things being protected by being hidden away so that people can't find them.

But on the other hand, that’s no longer how we do business. Customers expect to be able to get to your website and do business 24 hours a day and employees expect to be able to check their emails or work from anywhere at any time.

Popular cloud services like Office365 and G Suite are an appealing target for phishing campaigns – they can keep trying the same technique over and over until it works. You can’t afford to treat cybersecurity as “just an IT problem” in the cloud. Everyone in the business needs to know how to choose strong passwords, use multi-factor authentication and spot common scams.

What are some of the biggest misconceptions in your opinion surrounding cloud security? 

A lot of businesses who are new to the cloud expect it to be just like a data centre. In a traditional environment, security is about control. You can control who has access to your equipment, you control what it’s made of and how it’s configured, you control who’s allowed to do what. In the cloud it’s different.

In a cloud environment, security responsibilities are shared. You’re responsible for deciding what protection your data needs, and who should be able to access it. The cloud provider is responsible for keeping their facility and the physical equipment secure, and depending on the service they might take care of patching the software and keeping your data backed up, or leave that up to you.

Don’t just assume that your provider will take care of everything for you. Do your research and find out what they do to keep your data secure, and what parts you still need to look after yourself.

What are some cloud security best practices in your opinion? 

I think the single best thing that any business can do is start off with a plan.

Whether you're going to start with just one small project, like your public facing website, or if you're going to move your whole file storage, email and your business systems to the cloud, start with a plan for what you're going to put in there, what systems that's going to interact with, who's going to need to use it, and how they're going to use it. Then take that information to work out what level of protection you're going to need, and shop around for the right provider.

Security isn’t something you can just set and forget, so make sure you’ve got a clear idea of who will be responsible not just for setting things up correctly, but also for carrying out the day-to-day responsibilities like patching and monitoring your environment.

On top of that education is vital as well. When you're moving from a tightly controlled environment to the flexibility and freedom of the cloud, it's key that everyone in the business understands security risks and has the knowledge and skills to work safely.

Threats are on the rise, and security is something that can be complex and challenging to manage yourself. Sometimes, it’s best to call in the experts to help keep you on track. They bring an outsider perspective and are often better placed to provide insight and guidance when it comes to where, and how much, your business needs to improve its cyber posture.

Story image
ECI Software Solutions acquired by Leonard Green & Partners
"We are excited to welcome LGP as our new partner, and I am confident that this is the right choice for our future – and the future of our 1,700 employees and more than 22,000 customers.”More
Story image
DevSecOps increasingly important, but APAC organisations lagging behind
The rise of DevSecOps comes at a time when IT leaders are faced with an increasingly active cyber threat landscape, coupled with higher consumer expectations of digital offerings and application usage due to a sharp increase in online activities.More
Story image
How to keep office equipment safe in the COVID-19 era
In addition to basic hygiene procedures like mandating the use of hand sanitiser and encouraging the use of masks, organisations can minimise the risk of cross-contamination and infection when employees are using shared devices.More
Story image
Cybercriminals are leveraging AI for malicious use
"At a time where the public is getting increasingly concerned about the possible misuse of AI, we have to be transparent about the threats."More
Link image
On 10 December, find out how data centers will fare in the face of climate change
From pandemic disruption to the urgency to address climate change, data center development in Asia Pacific needs to remain resilient and sustainable. On 10 December, join this webinar to learn about viable solutions data center operators can use to overcome environmental challenges. Register now.More
Story image
In the sprint towards digital transformation, don’t neglect your data
Three tips to locate, secure, and understand dispersed corporate data.More