Posted on 8th August 2019
by Paul Smitherman
Busting the myths about public cloud security

As organisations implement digital transformation programmes to stay competitive, the appeal and benefits of the public cloud continues to gain traction. Public cloud providers have done much to address the security issues faced by early adopters of the public cloud. Yet, the ongoing appearance of high-profile stories in the media reporting extensive data breaches continue to fill our newsfeeds on a regular basis. As we write this, the financial press is speculating if the recent Capital One data breach, which compromised a massive 106 million clients, will have an impact on its public cloud provider - AWS’ growth. Amazon on the other hand is denying the blame and saying that its cloud services were not compromised in any way.

Combine that with tightening of data breach legislation, greater pressure to hold C-Suite accountable for security breaches, and the public trust needed for financial services to stay in business and it is little wonder that myths around the public cloud security are still a top concern. No one wants to be tomorrow’s headline. With potential jail time for Information Security leaders who do not make necessary provisions for safe-keeping client data the true benefits of the cloud like availability and reliability become secondary; security is critical. It’s why financial services need reassurance on how Microsoft’s has got it covered and how it addresses some of their worries. Here we bust the three most common myths when it comes to the Microsoft public cloud:

Myth #1 The public cloud is inherently insecure (SCCM)

The Azure Active Directory (AD) has been integral to Microsoft’s success in coaxing out traditional organisations who are typically using a Windows AD, by securely exposing certain non-sensitive attributes to the public cloud. Sharing elements of your internal directory, user names and computer accounts sounds scary, but in reality this is performed securely using a secure SSL encrypted API endpoint, directed at the client tenant. Each organisation has their own tenant and their own Azure AD Directory, which is used to synchronise user content. Essentially, the public cloud is a mirror image of what your company has in their internal domain and provides a new focal point for authentication and single sign on.

Microsoft’s security-led features including Multi-factor authentication (MFA) and conditional access, are currently at the forefront of identity protection and validation. You may have experienced logging on to a system when a prompt is sent to your phone? This is what happens on the Microsoft public cloud and it creates two levels of protection. By using a device that you own and providing you alone with a code (or approval) to ensure the connection can take place, Microsoft has created a super-secure login. With conditional access, organisations can also limit access by a specific location and create a geofence around what data can be accessed from where. This may be to prevent access from remote locations in far-flung locations around the world, or within a specific office radius.

Myth #2 The public cloud is easier to attack

The Azure AD is a fully integrated platform-as-a-service which simply needs to be populated in order to start using it to be fully functional. It comes with a number of security features to ensure Microsoft stay on top of any threats to the service, and also to highlight any issues around unauthorised access. It is in Microsoft’s interest to ensure and provide evidence they are doing all they can to keep the public cloud secure. They have to be constantly on the front foot. Their reputation is on the line and it’s vital they continuously invest in developing security products to ensure the public cloud security in the interest of their clients.

There is strength in numbers too. Microsoft have invited third parties to join the fight to keep the public cloud secure. A Network Virtual Appliance enables clients to reduce the risk and deploy products from multiple services providers for the purpose of security and resilience. That way not all the eggs – or firewalls - are in the one basket. These 3rd party vendor NVA’s provides a continuous and sophisticated level of protection, monitoring and reporting, which flags up any potential security or access threats so these can be followed up and investigated and contained.

Myth #3 Cloud security is too complex to maintain

The public cloud is still a new technology – ground-breaking even. As humans, we are resistant to change. Like anything new, the public cloud introduces the unknown; and the unknown is complex because we are still unsure of the parameters. Much of the attitude towards the public cloud is hesitance about having to change the way we work. It’s an emotional response to technology as it takes us out our comfort zone. The key takeaway is simply that the public cloud is different. And it has different considerations.

Many of the major technology providers are now taking a cloud-first approach, designing and developing solutions exclusively for the public cloud. As we become more used to this technology, more and more organisations will be leaving behind their on-premise infrastructure and moving to the cloud. For those who want to take baby steps as they adapt, there is also the possibility of going hybrid by blending a private on-premise cloud solution with public cloud until all the unknown parameters are known and the organisation has full confidence in the public cloud.

Find out how Lanware is helping its financial services clients enjoy the benefits of the public cloud with Finance Forward 365.