Blog | 20 July 2022
The five pillars of a secure cloud transformation
Solution Architect & Technology Evangelist
If you’re serious about cloud transformation, you also need to be serious about security. There are five areas of security that need to be baked into your cloud transformation for it to be both secure and successful.
Cloud transformation is rapidly changing how we work, how organisations operate, and what security looks like in a world beyond traditional firewalls.
The Covid-19 pandemic quickly shifted work-from-home debates into a day-to-day reality. Remote working is here to stay – and it will dictate an organisation’s ability to operate competitively and attract the best talent.
But moving to a hybrid working model is only part of a wider cloud transformation story.
Cloud transformation isn’t just about unshackling workers from the desk. It’s about changing the entire way your organisation operates, allowing it to stay competitive and position itself for growth at scale.
But if a cloud transformation is to be successful, it needs to be built on strong security.
Baking security into your cloud transformation
By April 2020, the Office of National Statistics reported that the number of remote workers had increased to 46% of the UK’s population.
And there’s no going back to business as usual. As of May 2021, 85% of working adults want hybrid office or home-working structures in place at their jobs.
Pandemic pressure has accelerated the cloud transformation revolution, and to begin with, it was enough that work from home infrastructure simply worked.
However, heading into the Cloud en masse means coming out from behind the traditional security of an on-premises firewall.
Cyber attackers have experienced huge growth in opportunities to compromise your business. The lines between where your company begins and ends have become blurred – massively increasing the attack surface of your organisation.
How to quickly and securely transform to the Cloud
Find out what a real-life cloud transformation looks like. Watch our on-demand webinar today and understand:
- How a rapid move to the Cloud helped a leading medical provider grow at scale
- The importance of ensuring security throughout your transformation
- How to maximise on your existing Azure and Microsoft 365 investment
1: Adopt a ‘zero trust’ mindset
Zero trust is a strategic approach to cybersecurity. An organisation must never assume secure access but explicitly validate users and activity at every stage of a digital interaction.
It also works on the idea of least privileged access, ensuring that any member of an organisation is given the bare minimum access to the resources and applications they need.
It’s a necessary response to a changing world. With increased migration to the Cloud, traditional network perimeters no longer exist in the way they used to. Employees and the applications they use are just as likely to be outside of the perimeter as they are inside of it.
Blurring where your borders are introduces weaknesses that bad actors will try to exploit. The aim is to get inside your organisation and access resources and high-value assets – and attackers have never had so many opportunities to do so.
Mitigating these risks means continuous identity verification, giving the access needed (and no more), and assessing that users are safe and compliant using a variety of signals to make informed decisions to ensure security.
Say, for example, that you’re a junior-level admin assistant in an organisation. You need to access last month’s gross sales figures from your mobile device to plug the raw data into a spreadsheet that the entire company uses, so you can compare it to last year’s figures.
In a zero trust approach to cyber security, employees validate their digital identity, and that digital identity would be checked against what that employee is allowed to access within the organisation.
So, in our scenario:
- The device used would be checked and verified as safe.
- Our junior admin assistant’s identity would be verified first as a member of the organisation.
- That identity would be checked against what access they are privileged to within the organisation.
- If that privilege includes access to last month’s gross sales figures, they will be allowed access to that.
As you can see, zero trust architecture relies heavily on the ability to verify digital identity, which leads us nicely into the next important pillar of secure cloud transformation.
2: Identity and access management – Verifying who you are, why you’re here, and what you’re doing
Before the huge, societal shift to the Cloud, people were still coming into the office. Verifying an employee’s identity was easier as you could see the person. You just had to make sure the face matched the photo on their ID card.
Identity verification and access management are a little more complex these days. Are you able to trust that the username you see on the screen trying to access privileged documents or resources are who they say they are?
According to the 2022 Data Breach Investigations Report, two of the three types of data most compromised in phishing attacks are credentials (such as passwords and PINs), and personal data (such as names, addresses, and email addresses).
With more people than ever working remotely, hackers are taking advantage to compromise your organisation and gain access using these credentials.
To put it simply: will your cloud transformation allow you to verify your users and enable them to access the apps/resources they need to be productive?
Because identity is one of the most crucial aspects of modern security, any cloud transformation is going to need a robust way of identifying people within an organisation and providing access to the right applications and resources to the right people, at the right time.
To help you answer these questions and challenges, it’s worth deploying a technology such as Azure AD.
Azure AD is a cloud-native identity and access management service that gives your employees access to external resources and applications such as Microsoft 365, the Azure portal, and thousands of other Software-as-a-Service (SaaS) applications.
It can also be configured to work with an on-premises Active Directory, enabling employees to access internal resources like apps on your intranet.
Using Azure AD, you can make your identity and access management more secure by enabling multi-factor authentication (MFA). This provides an extra layer of security and verification, making sure users are who they say they are – and are only accessing what they need/are privileged to access.
3: Threat visibility – You can’t protect what you can’t see
Threat visibility used to be more straightforward. Attackers tried to make their way into the organisation from outside of your on-premises security. There was a clear boundary between where the business was and wasn’t.
The attack surface has expanded massively, and threats can now come from laptops, smartphones (both personal and company issue), tablets, smart TVs, personal unsecured routers, and anything else that could fall under the remit of the Internet of Things (IoT).
Basically, there are two questions you need to ask of your organisation:
- Can you detect different types of threats across cloud and on-premises devices/users?
- Can you investigate and see the whole picture of an attack (affected devices, actions taken, etc.?)
To answer these two challenges, you will need to employ some kind of threat monitoring technology, like a security information and event management (SIEM) platform (such as Microsoft Sentinel).
A SIEM operates by collating data – this can be from logs, events, applications, devices, networks, infrastructure, and systems – to analyse and provide a full view of an organisation’s IT infrastructure.
SIEM solutions can be either on-premises or in the Cloud. They examine all the collated data and sort threat activity according to the risk level they present. This helps your security desk identify bad actors and respond to and neutralise cyberattacks quickly.
Employing a SIEM is a key step in your cloud transformation. It’ll allow you to keep an eye on all of your security data – including your users, devices, applications, and infrastructure in one place.
To put it bluntly, you can’t protect what you can’t see.
4: Threat response – Don’t bring a knife to a gunfight
Detecting and remediating threats was a lot easier when you owned all your infrastructure and you had on-site security personnel. Now, organisations face the challenge of protecting large and ever-growing IT estates across both on-premises and the Cloud.
The Cloud is an environment that is constantly changing and evolving, and threats are evolving right alongside it.
On top of the constantly evolving sophistication of social engineering and phishing scams, there are also these threats to consider:
- Mobile device vulnerabilities.
- Smart TVs and other Internet of Things (IoT) devices.
- Possible breaches through third-party applications.
- Unsecured/unconfigured home routers.
- Cloud vulnerabilities.
- Poor data management.
This isn’t a complete or comprehensive list of threats, and they’re still growing day by day. Your threat response needs to be able to change and evolve alongside the threats it may encounter.
Your threat response must be something that leverages the power of the Cloud so that it can keep up, and it has to be able to easily integrate with your threat detection software.
A great example of this would be Microsoft 365 Defender integrating easily with Microsoft Sentinel, combining both visibility and intelligence with powerful action – all from one location.
Using cutting-edge extended detection and response (XDR) solutions that integrate both threat visibility and response will be crucial in protecting you from continually evolving threats.
5: Data protection and compliance – GDPR and beyond
As more and more data is moved to the Cloud, there’s a growing concern that your company’s sensitive internal data is at risk of exposure through accidental leaks or deliberate, sophisticated cyber threats.
And it isn’t just your data that’s at risk – any data you hold on your partners, customers, or clients is also in danger.
Without robust data protection measures in place, you run the risk of falling foul of compliance regulations. There’s an increasing number of regulations that require your organisation to know exactly where your data is stored, who has access to it, how it’s processed, and how it’s protected.
Failing to meet (and prove you meet) these compliance obligations can be incredibly costly.
For example, infringing UK GDPR regulations can be met with a maximum fine of £17.5 million or 4% of annual global turnover, and the EU sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater.
The ICO has also proven that they aren’t at all shy in the enforcement of penalties against any company that is in breach of data protection regulations.
It’s clear that when it comes to secure cloud transformation, ensuring your data is protected is crucial.
Any plans for handling data need to be able to answer several questions:
- Do you know where it’s being stored?
- Do you know who has access to it?
- Do you know whether those people have appropriate access for their roles?
- Is it classified correctly?
Without accounting for data protection, your organisation can end up like a rusty bucket full of holes, leaking data and haemorrhaging money.
At worst, it could put you out of business, at best, it could make it difficult for you to operate and permanently damage customer and client trust.
You don’t have to go it alone – The rise of the Managed Service Provider
For those organisations that simply don’t have the time, qualified staff, or technical resources to build a modern IT and security team, outsourcing the problem has become a popular solution. Enter the Managed Service Provider (MSP).
There are many advantages to using an MSP, we’ll briefly look at some of them here:
- 24/7 monitoring of your systems keeps your data and applications safe whatever the hour.
- A proactive approach means problems can be solved before they become an issue, meaning no lost time in dealing with downed systems.
- It’s often not feasible or cost-effective to have a dedicated, in-house cyber security team, but with an MSP, you can access experts to fill your knowledge gaps.
- MSPs will have access to the latest technology – particularly helpful if, for example, you need cutting-edge threat detection and response software to aid secure cloud transformation.
- Instead of talking to several different people or teams, an MSP can be your single point of contact.
- Instead of reactively fighting fires, an MSP can take over what needs to be done, allowing your team to concentrate on what they do best/specialise in.
- An MSP can scale up or down with your business as required.
- An MSP can be more cost-effective than hiring or training new staff, and your other security costs will be more predictable. Your service agreement will outline precisely what you’re paying for.
However, if you’re thinking about hiring an MSP, it’s essential that you do your research to make sure that they hold up to a high standard of security. The widely publicised SolarWinds breach of December 2020 demonstrated the dangers of not doing this.
Your IT supply chain is only as strong as the different entities that make it. If one company operating in your supply chain hasn’t got its security locked down, that means that you don’t have your security locked down, and it represents a potential vulnerability in your cyber defences.
Things to look out for when assessing a potential MSP include:
- Security certifications (such as Cyber Essentials Plus or ISO 27001)
- Case studies that demonstrate their security credentials
- Their market standing and reputation as an MSP
Hiring an MSP with both strong cloud transformation and security credentials will offset the risks and give your organisation peace of mind. At Kocho, we’re well versed in cloud transformation and our managed services, like our other offerings, have security baked into their very core.
Moving into the future with secure cloud transformation
The last few years have been transformative in terms of how and where we work, and how companies operate in an increasingly digital world where traditional boundaries come to mean less and less every year.
And while threats have evolved alongside this changing world, the one thing that’s remained a constant is that you need a security-first mindset. Moving into the Cloud without a well-thought-out security focus is likely asking for trouble.
Insulating yourself from the dangers of an open internet is no longer just about putting up a border and stopping people from crossing it. Transforming to the Cloud demands a more agile, modern approach – and hopefully, we’ve shown you what that looks like here.
- The explosion in cloud transformation was accelerated by the pressures of the pandemic requiring employees to work remotely.
- Work from home and hybrid offices are not a blip, they are here to stay. As a result, cloud transformation needs to be done with security in mind.
- Security in the Cloud presents unique challenges compared to traditional on-premises security where everything sat behind a firewall.
- There are five main pillars behind secure cloud transformation: adopting a zero trust mindset, identity and access management, threat visibility, threat response, and data protection.
- Look to use an MSP with strong security credentials that can help solve your cloud transformation challenges.
- See how we helped a medical imaging company move into the Azure Cloud in a real-life example of cloud transformation.
- Thinking of using a managed security service provider? Discover what you need to consider and what questions to ask.
- See for yourself how Sentinel, Microsoft’s flagship SIEM, can help you detect and respond to threats within the Cloud.
Ready to ‘Become greater’?
When you sign up to our mailing list, you’ll get the best content, expert resources, and exclusive event invites sent directly to your inbox.
David Guest is Kocho’s Solution Architect & Technology Evangelist. He’s responsible for developing identity, Microsoft 365 security, and other cloud service solutions – and keeping our clients abreast of the latest technology trends.
Latest blog articles
Better together – How flexibility is at the heart of Kocho’s people strategy
Microsoft disabling Basic authentication in October 2022 – What to know and how to be ready
The five pillars of a secure cloud transformation
Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?
We’re here to help you on your journey towards becoming greater. Get in touch to find out how.