operational technology

If I had a Pound for every time someone says…

“We’re secure now as we’ve moved to the ‘Cloud” I’d have about ninety quid. Initially, cloud was a bit of a novelty, then it started to gain momentum over the years and then rapidly became the thing to do, particularly as a cheap bucket of storage and to implement new services quickly. Almost all organisations now use cloud services for a least a few serious business requirements. But here’s the thing, whilst what Mr Cloud salesman said about security wasn’t exactly untrue, he wasn’t specifically clear about what steps to take to secure it either. To be fair, for a lot of companies I’ve met moving data into the cloud was much safer than previous environments, as in smaller organisations I’ve seen Domain Controllers installed under the desks in Receptions of multi-tenanted offices, and I’ve lost count of the times I’ve found servers physically unsecured sharing rooms and cupboards across a plethora of office staff and even the cleaner!

Anyway, Cloud is good, and can be really good. If done properly and secured properly as if the systems were installed in front of you on shiny tin. As a perfect example, Microsoft 365 is a great strategy to have and its security isn’t half bad either. But you need to be careful once you start building your data lakes and without strict controls in place you can build up a lot of future problems.

I often find that people start their cloud migration project and get the key data and services across, but do not decommission the old on-premises kit for fear of upsetting old Ken who works in accounts and still needs access to his ancient system that wasn’t able to be migrated. Or the security control room that still use the W2003 server for all the physical access control systems, and the list goes on. Many companies end up with a less than satisfactory situation, in that their cloud services are not as secure as they should be, and they’ve retained legacy systems for too long. The result is a far greater risk of cyber-attack.

On the upside, there are some spectacular tools out there now to protect your cloud infrastructure, but they took a while coming. Nevertheless, cloud for most organisations is the way forward. It is still true today that the cloud is ‘someone else’s computer’ and that you don’t own your bit of the cloud, you’re simply just leasing it. However, you have made the decision to accept the risk of handing over your personal and business data to someone else and you’ve traded that for convenience. Most data breaches in the cloud are from people not protecting their data properly, not from the cloud provider themselves. But… having all your eggs in someone else’s basket is still a bit worrying. Particularly as most of the western world use just 6 players in this space. According to those specialising in insurance risk, a cyber-attack from a hostile nation state (or other threat actor) at one or more of these cloud players could create a financial catastrophe, possibly in excess of the COVID costs. Gulp. So, just make sure you take regular off-line back-ups of your most valuable data.