The key to competitive advantage?
Businesses move to Cloud because it apparently offers immediate financial gain (move from CapEx to OpEx, lower fixed costs…), only to find that, as with all other major change programs, costs actually rise until transition is complete. You have to maintain your legacy systems while paying for your new Cloud environment, and then you pay more to ensure full interoperability while you are running two parallel infrastructures, and it’s just so complex!
A typical response is to look for quick wins: ways to develop and launch Cloud native services fast, aiming to create new revenue streams that will pay at least some of the costs of change.
To be clear, we support that. We think it’s smart to start acting as a real Cloud business and monetize Cloud as fast as you can, but you need to understand the kind of security issues that could arise. Let’s focus on two key areas: growing complexity, and cloud-specific security threats.
This is complicated…
To monetize Cloud fast, you will be using standard, off the shelf software, both as apps and as more capable platforms (core banking platforms, for example, for white label financial transaction management to allow for fast entry to online retailing).
You will have fewer in-house apps (eventually, you will probably have none at all) but you will be using SaaS delivered solutions both for your own needs and to customize and deliver under your own brand to end user customers. That’s how you get into the market fast, by taking someone else’s cloud-native software and selling it on (with specific customizations, which might be pretty extensive).
You will also be migrating (or replacing, or repurposing/replatforming) your apps portfolio, using external providers, who make use of containers and Kubernetes designed to work across clusters and multiple platforms. Your data and IP should be safe but if there happen to be weaknesses anywhere in this value chain then you have a problem.
Finally, you are going to speed up time to market, so ecosystem working is the norm, with rapid, agile DevSecOps as the preferred method. That’s also good. None of these steps is problematic in itself, but add them together and you have a more complex landscape to manage, with more points of possible vulnerability. That’s not the full picture…
That goes for threats, as well!
We are all used to living with cyber threats, and these are growing in sophistication and intensity all the time. In the Cloud, these threats and concerns have a somewhat different form and can come at you from more directions, too. So what’s new?
Data sovereignty is more of an issue when hosting in the Cloud. It’s a known problem with known solutions but you need to be satisfied that your arrangement comply with all regulations. As ecosystem working becomes more of a way of life (and it will, once you are fully Cloud native) then Identity and Access Management gain a new level of complexity and urgency.
Onboarding, testing credentials, checking for accuracy: the processes are different in the Cloud and you will need to review the procedures you have in place and potentially rethink them. In Cloud, secure networking becomes more important, as you will be uploading and downloading encrypted data continuously. The fact that you make use of encryption does not give you immunity to hacking or theft.
In shared environments, while you aim to secure the benefits of speed, agility and cost, you need to guard against the potential extra points of vulnerability this complexity brings. And then there is the whole question of what is happening in your own organization. Transformation is likely to go (in fact it should go) far beyond IT transition from on-premise or conventional outsource to Cloud.
You are likely to see changes in structure, reporting lines, the balance between in house disciplines and external/ecosystem working. All changes of this kind require corresponding adjustments to cyber security solutions, processes and working methods.
So what to do?
First of all, stay calm. Becoming a Cloud native organization is a big change and is bound to bring a certain kind of complexity with it. Enterprises need to develop the disciplines and skills needed to manage hybrid environments, with cyber solutions that scale and flex as the networks they use can do.