Cloud vs Digital and Cyber Security
A simple explanation of the difference between transitioning to Cloud and digital transformation, and the implications for cyber security.
Cloud-first and digital transformation are two different things. The transition from using private data centres to cloud is a form of outsourcing for infrastructure. It is evolution rather than transformation but can bring benefits in terms of efficiency and effectiveness. It can be secured by extending to the cloud the approach used for cyber security in private data centres.
Digital transformation is different to moving to the cloud. Although digital transformation is made easier by the tools that come with a transition to cloud-first, it is disruptive to people, process and technology. Disruption destroys something you value today but liberates something new and ten times better tomorrow. For CIOs, cloud-first means a move away from controlling infrastructure, and digital means new approaches to software eco-systems. For CISOs, cloud-first demands we build out security from identity, not the network, and digital means we need to secure data dispersed across a landscape rather than in fortresses.
For a digital transformation to be successful, the CISO must overhaul cyber security authentication and authorisation capabilities. Most companies will have a legacy technology estate with a network-centric approach to security, originally designed to protect monolithic applications residing in private data centres. However, the transition to greater use of public clouds means security has become increasingly dependent on identity, rather than the network. Digital transformation requires accelerating the evolution of how we AUTHENTICATE identity, so trust is no longer contingent on the network. More challenging still is the transformation in data security required for full digitisation. With micro-services using Application Programming Interfaces (APIs) and operating on data lakes, access management will require a transformation in AUTHORISATION, because access, edit and delete permissions can no longer be inferred in the way they could within siloed monolithic applications.
Evolution of Authentication for Cloud. Although most companies will already make good use of public clouds such as Microsoft Office 365, their core offering to customers is probably still anchored in monolithic applications residing in private data centres. Historically, the most cost-effective way of securing such an ‘on-premises’ approach to IT was for cyber security to use network-centric methods of authentication. As companies drive cost out of IT by increasingly migrating applications to public clouds, they need to accelerate the change to cyber security from a network-centric approach to a zero-trust approach, where the network is no longer relevant because we don’t control it. In both approaches to cyber security, the health of the connecting device is important but the authentication of the identity of the person or object seeking a transaction becomes the defining attribute for security, rather than whether the IP address is trusted.
Transformation of Authorisation for Digital. Beyond simply migrating to cloud, an ambition for digital transformation will also drive fundamental changes to architecture. Some years ago, Gartner recommended a multi-grained architecture of traditional applications (macro-services) alongside mini- and micro-services. This introduced a new challenge for cyber security, which is the authorisation of access to data in a loosely coupled, autonomous, low-cohesion ecosystem where business logic and data are shared and re-used. In a traditional application, the user interface (usually a browser) is connected to a data source (usually a relational database) via a business logic layer that is tightly bound to both. In a monolithic application, authorisation is easy because access, edit and delete permissions can be inferred. With micro-services architecture, using APIs to operate on data lakes, and without a common authorisation framework and service, access management becomes a challenge and data security can become a critical weakness. This can fatally undermine customer trust, losing revenue.
Amazing article! Super insightful!
Good article Nick!
Identity, credentials and trust were the basic building blocks of SOA in the early 2000s. Information held in enclaves accessible via trusted services enabled global security in support of deployed military operations. Today many do not have the luxury of building networks in this way as the cost of decommissioning old infrastructure means time to roll out middleware. Middleware scalable across a network which has grown to satisfy un-architected systems often cannot provide a one size fits all solution and on go the problems. Digital transformation is a great solution but few will write off existing investment to make a migration to a disruptive option. Why? Because the business has not yet recognised the investment is not just about security it is about securely targeting business growth opportunities. The biggest challenge for CISOs is to demonstrate the return of investment with security baked in as a given. Few Boards are attracted by spending purely to mitigate a risk which may never materialise. The CISO challenge is to bridge that mindset by linking digital transformation to the business strategy. Great explanation saved for future reference.
Nick - clear bad informative - thank you Nick