The benefits of the cloud are well understood.
The chief reason is the ability to lower capital expenditure (CAPEX) when accessing new compute resources. For a subscription that becomes part of operational expenditure (OPEX), companies have the ability to scale fast, turn on new virtual machines for development or handle peak business periods confidently, while freeing up internal IT staff from maintaining IT infrastructure and updating the software.
Today, clouds offer a lot more. They have become the go-to business platform for new cloud-based services that are constantly updated and refreshed, sharing data with third-party systems seamlessly and driving new IT paradigms like artificial intelligence (AI) and internet of things (IoT).
However, the same interconnectedness and flexibility require a rethink in the way we approach security. Obviously, the traditional castle approach to security is inadequate.
At a recent roundtable discussion, we talked to leading IT executives from Bangkok, Thailand on the security concerns they share when moving to the cloud and how they are evolving their approach to cloud security.
Not all data are created equal
Migrating to the cloud and modernizing the infrastructure offers a lot of benefits, including cost efficiency, scalability and easy access to computing resources.
“The best thing about cloud services is flexibility. We can start using a few services and expand as we go along. Every time we grow, we take on new systems. The challenge is how we can make them work together,” said Anthony Green, group director, Digital Application & Platforms, Minor Hotels.
At Compass Hospitality, Saiyan Wongmakes, corporate assistant IT manager observed that his company is already moving some of the applications to the cloud, especially in “marketing.”
Adrian Hardwick-Jones, vice president, Design & Technical Services, Centara Hotels & Resorts saw his organization as a champion of migrating to the cloud. “We see this as business transformation and view cloud as the best platform to work on today.”
He also saw cloud migration as an opportunity to rethink age-old processes. “So, we are not trying to mimic an old business process on the cloud.”
However, all participants agreed that migrating to the cloud raises security concerns. In some cases, companies have had to rebuild their security framework and policies.
“This is because for us a lot of information is about clinical patient data, which is very sensitive,” said Kenny Lim, chief information officer, Bumrungrad International Hospital.
Many also worried that migrating old applications to the cloud might expose hidden and unforeseen security gaps.
"We have some problems transforming from an old architecture using [on-premises] servers to [public] cloud services," said Cherngchai Naramittakapong, Information Technology manager, Grande Asset Hotels and Property PCL.
Similarly, Sulit Waeowanjua, IT manager, Greenline Synergy Co., Ltd. saw a clear need to move to the cloud “especially for e-commerce” but felt constrained by the amount of investment needed to ensure cloud security.
“It is a common situation that many companies face,” argued Jaheer Abbas, senior director, SEA & India, Limelight Networks.
“When we first started, our conversation was around Content Delivery Networks (CDN) for video and web delivery. Over the last two years, we saw all conversations move toward security, especially protecting data and the brand.”
No single blueprint
The problem with cloud security is that there is no single blueprint. This is because every cloud environment is unique, as it depends on location, organizational structure, third-party partner networks, the regulatory environment, and the cloud providers they are subscribing to.
Often cloud security is the first issue that everyone faces when convincing senior management on a cloud journey. “Working in the Government Sector means I have to convince my management that the data will not be lost or stolen and that we are always compliant,” said Somkid Leelittam, director of Information, Technology Department, Mass Rapid Transit Authority of Thailand.
Another challenge is deciding how much each data is worth. It is a strenuous exercise that Chatchawarn Jirupathum, group IT operations manager, RMA Group went through to ensure that the data is placed in the right cloud environment.
"We went with a multi-cloud model, but then we faced another change: the knowledge in-house," said Prachya.
He noted that cloud platforms are adding more features every day. Keeping up with them and ensuring that data security and policies are aligned can be a struggle because of a lack of knowledge.
Jirupathum also noted an additional security challenge when moving to the cloud: legacy applications. "Traditional workloads and applications are not built to be distributed."
Some participants worried about the data load on networks as they shift their core applications to the cloud. With high-res images and videos becoming the norm, companies are becoming sensitive to network latency and bandwidth. A single distributed denial of service (DDoS) attack can bring companies to their knees.
“It is where content delivery networks (CDNs) make sense,” said Limelight Networks' Abbas. He noted that such solutions could help to optimize network traffic and their website size while increasing consumer traffic and engagement.
“Take for example websites like Cebu Pacific Air where 95% of the business is done online. So, we managed to reduce the website size by 40% and enabled them to do 30% more business. And with the videos and images, the overall end user experience has improved,” he added.
Acknowledging third-party risks
The discussion ended on risks that companies are unable to control.
In a traditional, on-premises environment, data sharing can be vetted, gated and controlled. In a cloud environment which offers the flexibility to connect with third-party networks easily, it is not as simple.
One problem is the developers’ general disregard for online data security. “Now we have incorporated security into the development process,” said RMA Group’s Jirupathum.
Popular third-party cloud services also invite more attacks. “We see an enormous amount of scanning activities and what they are looking for is WordPress vulnerabilities. That is one of the costs that we do not think about when using popular tools,” said Minor Hotel’s Green.
Part of the problem is that companies tend to see security from the infrastructure they control.
“We have no one looking at the whole infrastructure, especially when we are outsourcing part of it. So, we are not there mentally,” said Centara Hotels & Resorts’ Hardwick-Jones.
Limelight Networks’ Abbas noted that Javascript injections and bots that scrape for financial information are becoming the two biggest security worries. He urged companies to start thinking about how they offer privileges to their partners and affiliates.
“Tags are useful for identifying customers. But at the same time, you want to block bots that scrape information. So, you need to decide with whom you want to work with while looking at bot management and other sophisticated tools.”
The right partner matters
All participants agreed that choosing the right partner is vital. As companies figure out their unique cloud journeys, cloud solution providers are no longer seen as IT vendors but as partners.
More importantly, cloud service providers have the right resources, knowledge, and talent to address cloud security concerns that companies might find difficult to acquire, discussion, added Abbas.
For example, Limelight Networks uses its private network to deliver video and web content. Meanwhile, the company’s Edge Cloud offers a low-latency, high-performance services to speed up an application and AI and IoT data through its global private infrastructure.
"Our private network is connected to major cities [around the world]. Once you hit our network, your data will go through our private backbone. We also have our own NOCs to monitor and use web application firewalls to sieve through the network requests," said Jerry Chi, solution engineer, Limelight Networks.
Chi noted that such measures address the cloud security fears that the participants highlighted, without sacrificing performance and flexibility.
