Bobby Hellard

Microsoft and AT&T have beefed up their strategic partnership, announcing a new offering where AT&T’s growing 5G network will be able to run Azure services.

The companies will be opening select preview availability for network edge compute (NEC) technology. The technology ‘weaves Microsoft Azure cloud services into AT&T network edge locations closer to customers,’ as the companies put it.

Microsoft and AT&T first came together earlier this year, with the former somewhat stealing the thunder of IBM, who had announced a similar agreement with AT&T the day before.

While the operator will be using Microsoft’s technology to a certain extent – the press materials noted it was ‘preferred’ for ‘non-network applications’ – the collaborative roadmap, for edge computing and 5G among other technologies – was the more interesting part of the story. The duo noted various opportunities that would be presented through 5G and edge. Mobile gaming is on the priority list, as is utilising drones for augmented and virtual reality.

Regarding AT&T’s personal cloudy journey, the commitment to migrating most non-network workloads to the public cloud by 2024 was noted, while the commitment for the operator to become ‘public-cloud first’ was reaffirmed.

“We are helping AT&T light up a wide range of unique solutions powered by Microsoft’s cloud, both for its business and our mutual customers in a secure and trusted way,” said Corey Sanders, Microsoft corporate vice president in a statement. “The collaboration reaches across AT&T, bringing the hyperscale of Microsoft Azure together with AT&T’s network to innovate with 5G and edge computing across every industry.”

After many false starts – remember Verizon’s ill-fated public cloud product offering? – telco is finding a much surer footing in the cloud ecosystem. As VMware CEO Pat Gelsinger put it in August: “Telcos will play a bigger role in the cloud universe than ever before. The shift from hardware to software is a great opportunity for US industry to step in and play a great role in the development of 5G.”

You can read the full Microsoft and AT&T update here.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Bobby Hellard

Dale Walker

A new report from Nordic IT services provider Tieto has found the region’s cloud landscape has matured significantly since 2015 from both a strategic and operational perspective – with Sweden and Finland fighting for supremacy.

The study, the latest Cloud Maturity Index which was based on responses from almost 300 decision-makers across the public and private sectors in the Nordics, placed almost one in five (18%) organisations as ‘mature’, while a quarter (27%) were seen as ‘proficient’, 42% at a basic level, and 13% ‘immature’.

In other words, it’s a broad church, with just a slight emphasis on the have-nots rather than the haves. Those who are described as mature use cloud services to a larger extent – virtually everything (97%) being cloud-based – and are much likelier to exploit the technology’s advantages compared with their immature cousins. Being classified as a mature cloud business means an approximately 20% lower IT operation costs, and on average 15% more efficiency in increasing business competitiveness.

When it came to specific industries, finance came out on top for Nordic organisations, maintaining its lead previously forged in the 2015 and 2017 surveys. The public sector continues to report the lowest strategic and operational maturity. Yet the gap is closing when it comes to traditionally ‘slower’ verticals, with manufacturing proving particularly effective. Whereas finance scored 6.0 in 2015 and 6.3 this time around, the manufacturing industry has leapt to 6.0 from 4.4.

The report also noted the importance of environmental factors in organisations’ initiatives. This is not entirely surprising given the temperate climate has enabled many data centre providers to set up shop in the Nordics. Approximately half of companies polled said they were already considering issues such as energy consumption or CO2 emission as part of their cloud strategy. Again less than surprisingly, mature cloud organisations were considerably further ahead on environmental initiatives than their immature brethren.

Despite the report’s figures – again ranked out of 10 – which showed Sweden and Finland comfortably ahead of Norway, according to Tieto’s head of cloud migration and automation Timo Ahomaki it is the latter who should be celebrating. Data sovereignty, Ahomaki argues, is an area which is ‘quite polarised’ in Sweden, with Finland’s more advanced cloud security meaning it is ‘at the forefront’ of the Nordic public sector.

Regular readers of this publication will be aware of the various initiatives which have taken place regarding the emerging data centre industry in the Nordics. As far back as 2015, CloudTech reported on a study from the Swedish government – which was later put into legislation – to give tax breaks for data centre providers. Last year, DigiPlex announced a project whereby wasted heat from its data centres would be used to warm up residential homes in Oslo.

You can read the full report here (email required).

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

In May 2017, The Economist famously ran with a front-page headline proclaiming that “The world’s most valuable resource is no longer oil, but data.” It focused on big tech’s collection and use of data and argued that the data economy demands a new approach to antitrust rules.

I agree with the idea that data is now about the world’s most valuable resource, but would suggest that it is more like uranium. It has power and energy, but too much of it can be potentially explosive. Indeed, thinking about data as if it were like uranium, might be a good way to approach data protection.

Handling data

You would not expect your staff to handle uranium without caution or without the right protective gear. Nobody treats nuclear fuels the way that Homer Simpson does! Likewise, you need to educate your staff to handle data with equal care and need to equip them with the tools that they need to do so. 

Numerous studies have found that the greatest data protection threat to a business is the one that walks out of the business at the end of each day – your staff. The insider threat, as it is known, outweighs all others.

If your staff was handling nuclear fuel, you’d expect them to do so with the utmost care. But with data, even after extensive education and training programs, the temptation can be to take short cuts or overlook the proper procedures. For this reason, ease of use (making it as easy to do the right thing as it is to do anything else) is as important in security terms as functionality.

The problem is that the cybersecurity arena is exceedingly fragmented, and we are typically expected to understand how to use a number of different tools.

Thankfully, organisations like Lenovo are focusing on exactly this challenge, bringing a selection of best-of-breed security tools from the likes of Intel and Microsoft together into a single integrated portfolio called ThinkShield and making it easy to use.

Unfortunately, the reality is that you can’t always trust users to know the right thing to do. Nor can you oversee their every move. But with ThinkShield, you not only get comprehensive and customisable end-to-end IT security that you can trust to significantly reduce the risk of being compromised, but it’s also in a package that is easy for users to understand and use. It means less business interruption for your staff and less work for your IT admins.

Data concentration

Much of the focus in The Economist was on how much data certain players were collecting and the risks that go with this. It argued that new antitrust rules were needed to address the concentration of data and of power in the hands of a few giant players. 

Again, this makes data far more like uranium than oil – after all nuclear fuels are relatively safe in small quantities. It is only once you have a critical mass that it becomes potentially explosive.

In a recent interview, Edward Snowden suggested that GDPR had been a step in the right direction, but that the real threat came not from data protection, but from data concentration.
Elizabeth Warren’s threats to break up some of the tech giants may never happen, but further regulation both in the EU and the US is most likely and will focus on ensuring nuclear safety in the digital economy.

Cyber response

Anyone in the nuclear industry will be familiar with scenario planning and simulation exercises. They run regular drills to train staff on how to deal with catastrophes such as leakage of nuclear waste. Few firms realise that GDPR mandates the need for “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” In other words, if you don’t run do scenario planning or run simulation exercises to test how you’d respond to a data breach, then you’re not GDPR compliant.

Obviously, most organisations have in-house information security teams, just as they have legal and PR teams, but when a breach does occur your in-house teams are going to need help – they’re unlikely to have the specialist skills to deal with everything. As a result it is best to work with specialists – my latest venture, The Crisis Team, is a good example – that work alongside your internal teams offering world-leading expertise. After all, when things get serious, you don’t want the B team.

It is also worth including letting these experts support your scenario planning and simulation exercises. It will leverage their expertise and ensure that you develop a mutual understanding and are able to practice working together – something that will come in handy if or when the worst does occur.

Considering all of this, maybe treating your data as if it is toxic, and as if it were uranium, might be a good approach. 

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Connor Jones

Bobby Hellard

Cloud computing has become a prevalent force, bringing economies of scale and breakthrough technological advances to modern organisations, but it is more than just a trend. Cloud computing has evolved at an incredible speed and, in many organisations, is now entwined with the complex technological landscape that supports critical daily operations.

This ever-expanding cloud environment gives rise to new types of risk. Business and security leaders already face many challenges in protecting their existing IT environment. They must now also find ways to securely use multiple cloud services, supported applications and underlying technical infrastructure.

The need to use cloud services securely

The surge in business processes supported by cloud services has been well evidenced by organisations using cloud services store confidential data in the cloud environment. But when using cloud services, organisations are still unsure whether to entrust cloud service providers (CSPs) with their data. CSPs generally provide a certain level of security as substantiated by multiple surveys, but cloud-related security incidents do occur.

CSPs cannot be solely responsible for the security of their customers’ critical information assets. Cloud security relies equally on the customer’s ability to implement the right level of information security controls. Nevertheless, the cloud environment is complex and diverse, which hinders a consistent approach to deploying and maintaining core security controls. It is vital that organisations are aware of and fulfill their share of the responsibility for securing cloud services to successfully address the cyber threats that increasingly target the cloud environment.

Key features of cloud services

Organisations have rapidly adopted cloud services, attracted by the ease of procurement, relatively low set-up cost and the opportunity to replace legacy technology that no longer meets business needs. Yet, managing security is no simple task due to the unique and varied features intrinsic to using multiple cloud services.

Cloud services cover a vast range of offerings such as business applications, document storage solutions, databases and virtual servers, which can all be purchased on-demand from a selection of CSPs through a public network, most commonly the internet.

As organisations move to cloud computing to enhance their business operations, they tend to favor the acquisition of cloud services over the expansion of conventional, on-premises IT data centers. Often described as a cloud-first policy, this approach has been adopted by countless organisations. For many organisations, this means that almost their entire IT Infrastructure will eventually be hosted in the cloud environment.

The rise of the multi-cloud environment

As organisations acquire new cloud services, they typically choose these from a selection of multiple CSPs and therefore need to deal with a multi-cloud environment, which is characterised using two or more CSPs.

Organisations favor a multi-cloud environment because it allows them to pick and choose their preferred cloud services across different CSPs (e.g. AWS, Microsoft Azure, Google Cloud, Salesforce). However, each individual CSP adopts its own jargon, its own specific technologies and approaches to security management. The cloud customer therefore needs to acquire a wide range of skills and knowledge to use different cloud services from multiple CSPs securely.

Organisations require a range of different users to securely access cloud services from within the organisation’s network perimeter through secure network connections (e.g. via a gateway). However, organisations also need their cloud services to be accessed from outside the internal perimeter by business partners and users travelling off-site or working remotely, all connecting through a selection of secure network connections as dictated by the organisation.

Overcoming cloud security challenges

While CSPs provide a certain level of security for their cloud services, organisations need to be aware of their security obligations and deploy the necessary security controls.  This requires organisations to understand and address the many security challenges presented by the complex and heterogeneous aspects of the cloud environment.

Our ISF members have identified several obstacles to operating securely in the cloud environment. The main challenges include:

• Identifying and maintaining the appropriate security controls
• Balancing the shared responsibility for security between the CSP and the cloud customer
• Meeting regulatory requirements to protect sensitive data in the cloud environment

The rapid explosion of cloud usage has accentuated these challenges and, in some instances, left organisations insufficiently prepared to tackle the security concerns associated with using cloud services.

Balancing the shared responsibility for security between the CSP and the cloud customer

Securing the use of cloud services is a shared responsibility between the CSP and the cloud customer. The security obligations incumbent on the CSP are to protect the multi-tenant cloud environment, including the backend services and physical infrastructure, as well as to prevent the commingling of data between different customers.

While the CSP maintains much of the underlying cloud infrastructure, the cloud customer is responsible for securing its data and user management. Whether the customer’s responsibility extends to performing security configurations for applications, operating systems and networking will depend on the cloud service model selected.

This shared responsibility for security can create confusion and lead to over-reliance on the CSP to mitigate threats and prevent security incidents. It is essential that the cloud customer does not depend wholly on the CSP to deploy the appropriate security measures, but clearly understands how responsibility for security is shared with each CSP in order to identify and deploy the requisite security controls to protect the cloud environment.

Meeting regulatory requirements to protect sensitive data in the cloud environment

An organisation using an on-premises IT data centre will know exactly where its critical and sensitive data resides and can exert full control over the movement of its data. This helps considerably when implementing security controls, whereas in the cloud environment, data moves in and out of an organisation’s perimeter more freely. This can obscure where critical and sensitive data is located, and how it can be protected, which can hinder an organisation’s ability to effectively enforce the requisite security controls across all of its cloud services in line with compliance requirements.

While it is the cloud customer’s responsibility to ensure the security of its data in the cloud environment, the customer’s control over its data is intrinsically limited since the data is stored by an external party – the CSP – in an off-site location, often in a different country. Moreover, the CSPs will often leverage several data centers in geographically distinct locations to ensure the organisation’s data is stored on more than one server for reasons of resilience.

This creates additional complexity in terms of managing data across borders, understanding where it is located at a given moment in time, determining the applicable legal jurisdiction and ensuring compliance with relevant laws and regulations – an obligation that rests fully with the cloud customer, not the CSP.

Maximise potential and take responsibility

Modern organisations must operate at a fast pace, delivering new products and services to stay ahead of the competition. Many are therefore choosing to move ever further towards cloud computing, as the elasticity and scalability offered by cloud services provide the desired flexibility needed to compete. For an organisation to have confidence that it can move to the cloud whilst ensuring that vital technological infrastructure is secure, a robust strategy is required.

The cloud environment has become an attractive target for cyber attackers, highlighting the pressing need for organisations to enhance their existing security practices. Yet consistently implementing the fundamentals of cloud security can be a complicated task due to the diverse and expanding nature of the cloud environment.

This is but one of many challenges that organisations need to overcome to use cloud services securely. Organisations cannot rely purely on CSPs to secure their critical information assets but must accept their own share of responsibility. This responsibility calls for a combination of good governance, deployment of core controls and adoption of effective security products and services. Controls that cover network security, access management, data protection, secure configuration and security monitoring are not new to information security practitioners, but they are critical to using cloud services securely.

Moving forward, organisations can select from a variety of trends and technologies that will enable them to use cloud services securely – from the adoption of new products to the embedding of improved processes, such as a focus on secure containers, where security is given greater emphasis during development.

Assuring that services are used securely will provide business leaders with the confidence they need to fully embrace the cloud, maximising its potential and driving the organisation forward into the future.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

CIOs have been telling their cloud partners for years now that they’re not ready to fully commit to the public cloud. They have existing infrastructure investments which they’re loathe to jettison and some applications and workloads can’t easily move off site. In other cases, IT needs workloads to run nearby in the data centre to satisfy the extreme low latency requirements for services on the factory floor or in the emergency room.

Highly sensitive regulatory requirements also are a factor when CIOs choose to keep some assets in the corporate data centre. The cloud giants are finally listening. And suddenly, hybrid cloud is red hot.

A majority, or 86% of enterprises, have more than a quarter of their IT infrastructure running in cloud environments and more than half have 50-75% in the cloud, according to a recent OpsRamp survey. According to the RightScale 2019 State of the Cloud report, hybrid cloud is the dominant enterprise strategy, with 58% of respondents stating that is their preferred approach. Organisations are using an average of five different clouds. Clearly, the appetite for hybrid and multi-cloud environments, which are now increasingly characterised by including multiple cloud vendors, is strong.

The big three cloud providers are responding

Amazon, Google and Microsoft have been releasing new hybrid cloud offerings in recent months. The latest is Arc from Azure. This bundled multi-cloud layer claims to be the single platform for extending Azure services whether its on-premise using Azure Stack, competing cloud services, or edge environments. Arc promises a hybrid automation framework for deploying and managing apps in all clouds.

Given its enterprise heritage, Microsoft placed the right bet when it announced Azure Stack in 2015. Amazon and Google quickly followed. If the recent Arc announcement is any indication, the complex multi-cloud world is here to stay. In this multi-cloud hybrid reality, software engineers have to design or re-factor applications to account for interoperability between all clouds, while releasing applications ever faster to stay competitive. Meanwhile, IT operations teams are challenged to manage assets, metrics, alerts, events and services from on-premise and major cloud vendors. The greatest challenge for IT ops today is to discover a cohesive framework to process multi-cloud hybrid data and complexity without undue cost and pain.

Now, there are finally several options for doing just that.

Clouds competing for the middle

While all three companies have competitive solutions to address the hybrid IT challenge and be the provider to solve hybrid woes, none of them are a perfect solution. This is a new battleground for cloud vendors to compete in the world of infrastructure management and orchestration. 

Microsoft was the first to consider enterprise IT cloud realities, when it launched Azure Stack in 2017. Stack has been wildly successful because it’s delivered a safe runway to the cloud. CIOs can run the Azure cloud operating system on-premise and obtain tangible benefits of cloud architecture and services without giving up the security and control they want from keeping IT inside. That’s especially important in companies with heavy compliance requirements or in traditional IT organisations and cultures.

Stack also supports an easier migration path to Azure, and simpler integration between on-premise and cloud workloads. Arc takes this a step further by adding an abstraction layer over Azure and Stack environments so that IT can orchestrate and manage all infrastructure (including, says Microsoft, a competing cloud environment) from one place.

In April, Google released its version of the hybrid play: Anthos. Google calls it an “open application modernisation platform that enables you to modernise your existing applications, build new ones, and run them anywhere.” Google’s service, as expected, focuses on open-source technologies Kubernetes, Istio, and Knative and allows IT to manage both on-premises and cloud environments.

AWS Outposts brings AWS infrastructure, services, and operating models to “virtually” any data centre or on-premises facility. AWS Outposts builds on the AWS Nitro system technologies that enable customers to launch EC2 instances and EBS volumes on the same AWS-designed infrastructure used in AWS data centres. Companies can run AWS Outposts on VMware Cloud or using AWS native technologies.

Now for the outlier: Kubernetes. While not a cloud provider, this container orchestration platform has been a boon to IT because it decouples the underlying infrastructure (on-premises or public cloud) from the applications. This has never been done so elegantly before and transformed Kubernetes into a strategic and beloved abstraction layer allowing developers to spread their wings across any cloud vendor or environment. This decoupling empowers application developers to focus solely on the app development and port applications between environments with ease. That said, Kubernetes is also an extension of the overall hybrid infrastructure picture, one that needs to be tracked and monitored as well.

Impact on IT and IT ops

Most enterprises will end up operating in a hybrid-cloud configuration between on-premise and one or more cloud vendor. Products like Azure Arc, AWS Outpost and GCP Anthos will enable enterprises to speed cloud adoption, minimise internal risk, maintain consistent deployment and automation models across apps and infrastructure, and allow IT to migrate workloads between locations and clouds with ease.

There may also be significant benefits for IT Operations in adopting a hybrid cloud service from Amazon, Google or Microsoft along with Kubernetes. Legacy, on-premise monitoring and management tools are still common in enterprises. A survey by Forrester found that some 33% of companies are using more than 20 monitoring tools and only 12% were solely using modern tools. But as you put more workloads in the cloud, legacy tools don’t really fit the bill. Infrastructure leaders will be looking to select a modern cloud management solution that doesn’t lock them into a certain cloud. In addition, many IT organisations still need a vendor-neutral system to monitor and optimise these environments. Those systems will of course need to integrate with the company’s hybrid cloud service of choice. 

Enterprises can realise the following three benefits from a hybrid public cloud approach:

• Use best of breed products from all cloud vendors
• Use the most cost effective products from each vendor
• Distribute risks between cloud vendors

Will the customer be locked in?

To that extent, it’s questionable if any of the public cloud vendors will provide the optimal approach for operating other clouds. Regardless of which approach enterprises choose, 2020 will be a pivotal year for realising real-world benefits from the cloud as the market matures for hybrid cloud products and services.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.