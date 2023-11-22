Chief Innovation Officer orca security,

getty

The move to the cloud continues unabated, with more and more business enterprises operating in hybrid and multi-cloud environments. For example, a recent study from Oracle found that 98% of respondents have at least two cloud infrastructure providers and 31% expect to have four or more.

However, despite the ubiquity of the cloud, some businesses still question whether the cloud is right for all of their operations, especially those involving business-critical applications.

In answering that question, a business can start by making sure they know what their business-critical applications are – and how they can be defined using different criteria. One obvious characteristic of an important app is whether it handles sensitive information, such as data collected by banks, healthcare providers, and other organizations in highly regulated industries. Of course, that type of data is a frequent target of cyber attackers, who spend a lot of time and effort gaining access to it.

But there are other factors to consider, like availability and accessibility. An application may not hold sensitive information, but if it suffers downtime it can cause serious damage to an organization’s reputation or ability to operate. Basically, critical applications are those applications that are essential to conducting business.

Advantages and disadvantages of security in the cloud

From a security perspective, the cloud offers many benefits. Cloud providers usually have the latest security tools and regularly ensure that applications are easily maintained, patched, and updated. The cloud providers themselves are likely to be more secure than 99% of the remaining enterprises.

However, the security of the cloud is not entirely dependent on the provider. Organizations need to understand their role in the shared responsibility model of the cloud. The terms of the model may vary slightly per provider and per cloud service, but in basic terms, the provider is responsible for the hardware, software, networking, and features that the cloud infrastructure provides. The customer is responsible for everything that runs in the cloud, including operating systems, applications, and access and authentication management.

And although the cloud is inherently secure, we see security issues at times within the cloud provider domain. For example, vulnerabilities are frequently discovered in cloud providers by security researchers, such as when the Microsoft Azure Synapse service was found to have inadequate tenant separation to protect sensitive information from other Synapse tenants – one of six vulnerabilities found in Azure within a year. One of the serious flaws. Security researchers suggested that customers avoid storing sensitive information in the service until Microsoft made a fix, which it eventually did.

Solutions to risks may be unclear

How long customers have to wait for defects to be fixed – which can range from a few days to several months – is another issue to consider. Following vulnerabilities found in Azure, Microsoft has come under fire from security researchers who have said the company is taking too long to release fixes after they were flagged by researchers. Microsoft isn’t the only cloud provider to come under the microscope – researchers have found some significant vulnerabilities in AWS as well – although Azure has had the most recently discovered flaws.

Tenable CEO Amit Yoran, in an interview with CRN, described the Synapse vulnerability as a “serious” risk and condemned Microsoft’s lack of transparency regarding the disclosure of the vulnerabilities, saying that the company did not care about the risk to its customers. Did not give priority to reduction.

I, too, have criticized Microsoft’s response time to vulnerability disclosure, as my company faced similar issues in transparency and coordination during the disclosure process.

An important thing for organizations to keep in mind is that all of these vulnerabilities were found in relatively new services, as opposed to the cloud provider’s core services, such as basic virtual machines or storage buckets.

So, is the cloud safe for critical apps?

For the majority, yes, but not for all. A cloud platform provider will likely provide a more secure environment than something an organization can build on its own. But there are some caveats.

In an ideal scenario, organizations where they host highly critical business applications would identify high risk and potential risks and determine whether they can handle the impact of that risk. If they decide the risk is too great to accept, they should take advantage of another security mechanism and/or rely on core services, avoiding relatively new managed services.

Assessing the level of risk may be based on the nature of the information the application handles – such as extremely sensitive or highly regulated workloads that could cause serious harm if exposed – or uptime and availability.

For example, an organization may be concerned about handling sensitive data in an environment that does not have complete separation of tenants, where the risk of data being stolen by another tenant is too great to accept. In that case, the organization may add another security mechanism, such as application-level encryption, or it may decide not to use the cloud. I know of several large organizations that have chosen the latter option, refusing to use managed services for some sensitive applications.

Availability may be a concern in situations where, for example, an organization requires extremely fast service or nearly 100% availability from a certain geographic location. If you need extremely low latency for a certain location, then, by definition, a cloud is not enough. In that case, the organization will need to check the local service capabilities of the provider before deciding to leverage the cloud. It can also opt for redundancy by leveraging multiple cloud providers.

conclusion

The cloud’s inherent security makes it a worthy platform for critical business applications, but organizations would be foolish to rely on cloud providers to provide all the security they need. Businesses need to be aware of their roles in the shared responsibility model and carefully evaluate the risks the cloud provides in terms of sensitive information or availability and uptime. If organizations do their due diligence and live up to their security responsibilities, in most cases, the cloud is a safe place to do business.

The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?