The 5 Pillars of Digital Security in the Cloud
The importance of cloud security
On our blog, we have previously approached the benefits of using a cloud-based model for companies in the AEC industry. As mentioned, it increases the effectiveness of the IT department and its operational flexibility, it has a lower starting cost, as it requires less investments than its on-premise alternative, and it offers a higher level of scalability.
As businesses worldwide are moving towards the cloud, an analysis of 135,000 organizations shows that adoption has reached 85%, while, as Gartner forecasts, by 2022, 90% of companies will be using cloud services, with the fastest developing sector being IaaS.
In this context, with complex technologies being involved in the big picture, the cloud presents some threats and challenges that have to be taken into account and managed accordingly. One of the most important topics that clients mention in our first talks is related to cloud security and whether their data is safe from hackers, criminal organizations or groups that are interested in stealing sensitive corporate information.
In order to enable our clients to understand the topic better, we walk them through the 5 pillars of cloud security, a topic we have decided to approach in this article.
The 5 pillars of cloud security
Identifying Access Management
The first stage to cloud adoption is developing a strategy that focuses on the company’s objectives, its resources and needs. When we, at AEC Cloud, take on a new project, we start by discussing with the clients and defining what are their expectations from cloud computing, as well as how different employees and partners will access information.
Especially in the AEC industry, we know that each professional has its share or responsibilities on the job site, requiring specific documentation. This is why we always ensure that access rights are set accordingly and that Identity Access Management becomes mandatory in authorizing people in key roles, in controlling transparency and in limiting vulnerabilities.
Moreover, we translate Identity Access Management into a series of measures, such as single sign-on, multi-factor authentication, role-based access etc. - all with the purpose of preventing breaches.
The infrastructure
Technology is a vital element of cloud computing that we always prioritize. This way, we ensure that it is compatible with the cloud technologies, systems and networks adopted by each client, including the existing, legacy systems.
For our clients, we implement projects that make use of Infrastructure as a Service, an instant computing infrastructure, provisioned online, that enables companies to optimize costs, reduce their investment in hardware and benefit from scalability. Azure is one of the top cloud computing service providers, which offers tenants space that they may rent on a monthly basis, to purchase, install, configure and manage their software.
Our objective at AECCloud is to look at the cloud as a whole and to set up an application architecture that matches the capability of the supporting infrastructure, as well as our medium- and long-term goals, in what updates and development are concerned.
Data security
Cloud resources are, by definition, shared resources, which means that a company’s sensitive information resides outside the organization’s actual headquarters and may be subject to the legislation of the provider’s country.
This is why we give data security careful consideration and we make it our purpose to inform clients how their information may be transported, shared and stored, where it can reside, how it must be labelled according to its nature and level of sensitivity. Moreover, in the long run, we also apply consistent data storage hygiene measures that we monitor closely.
Governance, Compliance and Legal requirements
As mentioned before, taking into account the cloud vendor’s geolocation is extremely important for determining the overall terms and conditions of the collaboration. Apart from this, there are other requirements, such as contracts, service agreements and industry requirements.
Microsoft Azure, for example, has over 90 compliance certifications, covering over 50 regions and countries - such as the US, the EU, the UK, Japan, China, India etc. -, as well as more than 35 industries. In order to consistently adapt and attest that its cloud services meet not only the NIST criteria, but worldwide specifications, the company engages with governments, regulators and NGOs and goes through consistent audits.
An aspect we check for our clients is whether the cloud provider may outsource or subcontract its responsibilities to third parties and whether, in some situations, clients may audit the cloud provider. Both these aspects are extremely important in the AEC industry.
Incident response
In a world where cyberattacks are consistently rising, more and more incidents go unidentified, until it is too late and they produce damage. This is why, in our projects, we build IR frameworks
that treat each incident as a security failure or a compliance issue and, thus, rectify it, before it escalates.
A holistic IR framework covers the potential causes of cloud incidents, the way they are assessed and the management strategies. The purpose is to have a step-by-step guide that covers how to approach operational mistakes, system failures, malicious acts etc.
Who is responsible for cloud security?
“Who is responsible for cloud security?” is a question we hear often from our clients and for which we have a straight answer: the responsibility is shared between the provider and the client, as each party has its objectives and to-dos.
At AECCloud, we perform the due diligence, to check that the cloud provider’s physical hosts and networks are configured correctly, that the infrastructure itself is kept safe.
On the other hand, we encourage the client to allow user access and privilege on layers, depending on each professional’s role and permission to see and use information, and ensure that outside parties have no unauthorized access, protect and encrypt data, as well as remain compliant. In order to do so, we establish internal protocols and ensure clients communicate them across all departments, so that all employees in the organization know and respect them.
Of course, there are also some responsibilities that may belong either to the cloud provider or to the consumer, depending on the chosen service model - IaaS, PaaS, SaaS or hybrid. This is why working with a consultant is extremely useful.
At AEC Cloud, we help AEC clients adopt a cloud security strategy that minimizes the risk for breaches, as well as enable them to prepare for potential incidents and malware. Contact us and let’s discuss how we can keep your organization’s data safe.