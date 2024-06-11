As with most endeavours, incorporating security into the process as early as possible is essential when building or migrating to technologies such as the cloud. Whether you are beginning your journey of migrating key services to the cloud or launching a cloud-native evergreen project, involving security specialists with a deep understanding of the cloud security model is crucial. This ensures the successful implementation of a secure and robust system.

If you are early in this process, as a technology leader, understanding the cloud shared responsibility model is crucial. There are elements of each of the services offered by the different cloud service providers (CSPs) which are their responsibility to monitor, defend and protect, such as physical infrastructure and access controls at data centres, resilient power backups, and the like. All of the things you’d typically expect a data centre to provide, the CSPs will provide, and then some, really well-tuned by virtue of operating at a truly massive scale.

Move away from metal

The challenge lies in the details required to make informed decisions on which services to use, considering factors such as price, security, and long-term overhead and upkeep. In discussions with companies on this journey, I recommend moving as far away from bare metal as possible whenever feasible. This involves leveraging highly virtualised and containerised services like AWS’s Fargate and Lambda, Google’s Cloud Run and Cloud Functions, or Microsoft’s Azure Containers and Azure Functions.

One consideration here is that these managed services are, well, managed, and so you have to pay a higher premium for them than more basic offerings. This is worth a careful review considering the numerous staff you’d need to hire and manage to do the same level in-house.

Along with this, you’ll want to invest in your code pipeline using a Continuous Integration and Continuous Deployment (CI/CD) model that allows you to quickly run deployments that face a battery of automated tests before being approved to push to production. The key is well-defined processes that enforce service, security and code quality standards and produce repeatable results.

In many cases, these managed services (like Lamdas and container systems) mean that the CSP is responsible for some measure of monitoring and management of the security around those tools, so rather than you and your team needing to dedicate resources to staying up to date with all of the patching needed for a Linux Operating System, your cloud provider manages this for you. Note: cloud services change regularly, so you should confirm that any service you use includes automated patching and versioning before jumping in.

The Computer Weekly Security Think Tank on cloud security Rob Dartnall of SecAlliance

The idea here is that AWS, Google, and Azure are often better at some of these security management practices and keeping things up to date than most organisations. There are some notable exceptions; in particular, it is worth pointing out that Microsoft has had a very bad year in terms of security across its products. If you haven’t read it, have a look at the US government Cybersecurity Safety Review Board’s (CSRB) report on the Microsoft breaches from last year. It is a pretty sobering assessment of some catastrophic security failures inside the company.