An era of zero trust – even of the cloud

An era of zero trust – even of the cloud

The global COVID-19 pandemic has fueled an acceleration of the evaluation of cloud technology by a broad swathe of industries and government organizations.

The business case is well understood and clear. Avoid expansion of private data center infrastructure and enlargement of It infrastructure personnel and instead shift to a shared-services model where you’re working with an operational budget and a relatively predictable billing model.

Outsourcing your IT, which is effectively what the cloud facilitates, means that you get the benefits of scaling from your cloud vendor and reduced risk with respect to personnel management and appropriate infrastructure handling.

Virus SecurityOn the flip side, you have to somewhat homogenize what you use and there is perhaps a little less flexibility in terms of “turn-on-a-dime” provisioning and accommodation of some of the more nuanced IT needs that your organization might have.

For the most part, users don’t particularly care about whether the systems that they access and use, are in the cloud or in some data center or computer room on the premises of the business. As long as the system performs acceptably, as long as they have access when they need it, and as long as they can rely and depend on the contents of the system, it could pretty much be anywhere.

Many organizations have been progressively migrating data and operations to the cloud. During the height of the pandemic, many companies saw the weaknesses in their existing infrastructure and quickly realized that to support a lot of remote desk-bound personnel, they needed systems and data services that were distributed and flexible. They needed to consider cloud infrastructure.

Depending on the data that they planned to port to the cloud though, they had to ensure that the systems and applications that they used, would work adequately in this new context. Further, their local regulatory authorities needed to be satisfied that data that was subject to regulatory compliance like personally identifiable data (PII) which is bound by data residency regulations was not being ported to systems in foreign countries.

Fortunately, most of the leading providers have a pretty clear set of offerings that accommodate these regulations. The greater challenge comes when the organization adopting the technology has an unclear understanding of its obligations.

A second aspect is an adequacy of securing the data. Again, the cloud providers have taken steps to secure customer data in the cloud but with that security comes a great many assumptions about an organization’s own policies, procedures, and measures to ensure that the “doors” that secure the data structures are not left unlocked or “copies of the keys” inappropriately made.

If anything, adoption of the cloud for infrastructure exposed systemic issues in the way businesses uses (and abuse) their technology and at the same time laid bare the fragility of their understanding and experience of supporting and servicing global user communities in a potentially wild-west frontier environment.

In effect, the pandemic itself, triggered an escalation of cyber attacks, a lot of this tied to the desk workers working from home on unsecured home networks and open wifi networks and devices.

It should also come as no surprise then, that we also learned about the ransomware incidents that peppered news reports at the end of the Spring of 2021. The characteristics of these businesses were diverse; the nature of their systems, equally so. The level of impact of the ransomware, specifically unclear. Their dependence on on-premise vs cloud technology is equally unclear.

What must hold true in all of this, is that in some way, these systems had at least some sort of connectivity or lax data exchange controls, possibly through home-workers, that enabled them to be infected with malware or ransomware and probably communicate with malware and ransomware zombie or stealth hosts.

The result then is that technology leaders have become potentially reticent about further accelerating their cloud adoption and expanding their distributed network infrastructure and moreover, in some cases resolved to undo their cloud deployments. This is especially likely if there is the slightest hint of data loss. A position of zero-trust is becoming more commonplace.

The concern for leaders then has to be how easy it is to reverse the decisions that have already been taken. Cloud adoption is supposed to lower, not increase costs, applications should be able to be simply ported to cloud infrastructure from on-premise servers and data centers and It has been reassured that managing the infrastructure is as easy as managing on-prem if not easier, and finally, there should be no compromise on performance.

When all of these promises fail to get met, the calculators come out and the contracts are reviewed. Arlington Research on the state of Hybrid Cloud technology for Virtana (Feb ’21) a systems workload quality infrastructure monitoring and analytics platform provider suggests that out of 350 surveyed IT leaders, almost three quarters backpedaled on their public cloud deployments and ‘repatriated’ their public-cloud workloads. IDC research from a few years back (2019) revealed a suggested higher number.

If your organization has signed long-term infrastructure contracts with hosting services, this might result in some doubled costs as you continue to pay for your cloud infrastructure for the remainder of your agreement and spin up or renew your on-premise systems.

You’ll also need to be thinking about how you ensure that the sensitive and valuable data that landed in your cloud environments gets properly, appropriately, and verifiably purged.

For those who have chosen to adopt new platforms in the migration, that is exclusively cloud-based, the choices may also be a little more limited and there may have to be a concession to have some on-premise and some in the cloud i.e. hybrid.

For these, there may be no going back to the systems the way that they were.  Either way, part of the risk mitigation plan for migration towards the cloud needs to factor in the possibility that some of the changes may need to be undone.

Photo Credit: Max Pixel

Have Your Say: