As more businesses embark on their digital transformation journey and shift towards a mobile cloud computing model, they must rethink their entire security architecture. Migrating to the cloud effectively marks the end of the traditional network perimeter, which means that the standard security protocols designed to protect the perimeter are no longer fit for purpose. 

A recent report from Outpost24 found that while 42 percent of organisations are concerned about cloud security, 27 percent do not know how quickly they could tell if their cloud data had been compromised. This shows that many organisations are failing to follow cloud security best practices, leaving them vulnerable to security threats. This article outlines some of the best security practice organisations should follow when migrating to the cloud. 

The cloud challenge 

The rising popularity of the cloud cannot be understated. IDG’s 2018 Cloud Computing Study estimated that 77 percent of organisations use cloud services. It’s also been estimated that the average enterprise uses up to almost 1,000 applications. However, the added freedom granted by cloud services also comes with risks. As organisations move to a mobile cloud computing model, their employees have access to critical business data anytime from anywhere, eroding the traditional network perimeter. This has opened up new access points for hackers to exploit and created a massive attack surface that traditional security systems, such as firewalls and gateways, cannot protect against. 

Forget the perimeter, forget trust 

With the modern mobile cloud computing model dissolving the traditional network perimeter, organisations need to adapt. Businesses should look to implement a zero-trust security framework, which has been designed in direct response to the diminishing perimeter. Zero-trust considers an organisation’s network to be already compromised and as a result applies a ‘never trust, always verify’ logic to network access. 

With data flowing freely between various devices and servers in the cloud, there are more potential access points to be exploited. The zero trust model takes this into account and requires the device to be verified, the user’s context to be established, the apps to be authorized, the network to be verified and the presence of threats to be detected and mitigated.  Only after all these checks have been completed will the user be granted access to the data they are trying to view. 

Scrap passwords 

The password is the weakest link in enterprise security – a recent survey conducted by MobileIron and IDG found that 90 percent of the security professionals questioned had seen unauthorised access attempts as a result of stolen credential – and unfortunately, the advent of cloud computing has further exploited the vulnerability of the password. With cloud services and applications presenting organisations with multiple opportunities to streamline the way they handle their data, the risk presented by stolen user credentials has only grown. 

The same IDG survey also found that almost half of enterprise users recycle their password for more than one enterprise application. And with the average enterprise using up to 1,000 different cloud applications, it is highly likely that enterprise users recycle their passwords for different cloud services. Thus, just one stolen password in the modern cloud environment could provide hackers with countless amounts of enterprise data. In order to overcome the pain of passwords, organisations should look to more reliable methods of securing access to their data in the cloud, such as multi-factor authentication, or biometrics.

Good hygiene 

Good security hygiene is always of paramount importance, but even more so when an organisation migrates to the cloud. The advancement of cloud computing has changed the way the modern enterprise works, with mobile devices increasingly being used to access critical business data. In order to best achieve secure access to cloud data, organisations need to understand the environment in which their employees want to work, including what devices they choose to use. 

Organisations can then implement appropriate security protocols. With modern work increasingly taking place on applications on mobile devices, rather than on browsers or desktops, organisations will need to develop a new perimeter defined for the device in order to stop data seeping between cloud apps. 

This is where enrolling devices in a unified endpoint management (UEM) solution becomes essential. Enrolling devices ensures that devices are encrypted and allows IT to enforce appropriate authentication and security policies. It also gives IT the opportunity to delete dangerous apps over-the-air and stop business data from seeping between different cloud-based apps. Enrolling devices in such a way not only serves to maximise the gains in productivity that cloud computing has to offer but also helps to ensure data stored in the cloud is secure. 

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

You’ve got the processes in place for a revamped software delivery cycle in your organisation. The foundation has been built, the stack is in place and the culture is going in the right direction. What are you missing?

Security in DevOps is an ‘unrealised ideal’ and a key step in moving from DevOps good practice to best practice. That’s according to the latest Puppet State of DevOps Report, published earlier today. 

The report, the eighth in total, explored the various journeys organisations were at in security integration. Security, alas, is not a competitive differentiator – getting good product out there is – so the report sympathised with organisations facing the struggle. Though the road ahead is paved with good intentions, it doesn’t change habits – or pay the bills.

In all, almost a quarter (21%) of the 3,000 respondents polled who have the highest levels of security integration – whereby security is present across all phases of the software delivery cycle – say they have reached an advanced stage of DevOps maturity. Only 6% of those with no security integration say they have done so. 

What’s more, if you have the highest level of security integration it means you are more likely to deliver on production demand quickly, cited by 61% of firms. Of those with no security integration, less than half (49%) are able to deploy on demand. Security-conscious firms are also more than twice as likely to be able to stop a push to production for a moderate security vulnerability, meaning their customers aren’t able to release insecure code.

The most marked change was with regards to overall security posture. More than four in five (82%) of those polled with the highest levels of security integration said their security practices ‘significantly’ improved their posture, compared with only 38% of those with no integration.

In some aspects, the figures between the haves and the have-nots are not as broad as they seem. This may be of particular interest due to the harsh journey involved. Getting seamless security integration is a multi-layered problem. As the report puts it: “You see the underlying complexity that’s been masked over by years of duct tape and glue. You tackle the roadblock, but as you resolve it, new obstacles appear. You resolve one roadblock after another, and it gets frustrating, but after a while, you see that your team can overcome issues as they arise.” 

Last year, the key takeaway was with regards to getting each step right. The 2018 Puppet report argued reaching the zenith, where Dev and Ops integrate seamlessly and in perfect harmony, meant a slow evolution. Only one in 10 organisations polled were outliers either way, with 79% of companies somewhere in the middle.

With regard to security, those at the more advanced end of DevOps implementation are automating security policy configurations, and at the very sharp end exploring automated incident response. “They had cultivated a powerful blend of high-trust environments, autonomous teams, and a high degree of automation and cross-functional collaboration between application teams, operations and security teams.

“The result? Security becomes a shared responsibility across delivery teams that are empowered to make security improvements.”

Ultimately, it is a long road, but a profitable one if all stakeholders care enough, which is rather like security as a whole. “The DevOps principles that drive positive outcomes for software development – culture, automation, measurement and sharing – are the same principles that drive positive security outcomes,” said Alanna Brown, senior director of developer relations at Puppet and report author. “Organisations that are serious about improving their security practices and posture should start by adopting DevOps practices.”

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Bobby Hellard

The manufacturing industry might have been slow to adopt cloud-based technologies, but the benefits are now widely recognised with many companies relying on it to automate processes and drive efficiencies. In fact, you can’t move in today’s technology driven world without hearing the term ‘cloud’. It provides the foundation for the way we run our lives both at work and at home—so much so that the term itself is almost redundant. 

Although cloud is an accepted part of everyday operations within the manufacturing industry, making the most of it can still be a challenge, and leading to many businesses using it, but not necessarily unlocking its true potential. According to recent research, a staggering 84 percent of those within the manufacturing industry view investment in the cloud as hugely important in delivering their overall growth strategy. However, despite this, only 17 percent consider cloud a strategic investment, with only a third (31 percent) saying they make significant use of cloud applications today.

Levelling the playing field

With traditional manufacturers often steeped in legacy, on-premises technology, the advent of cloud-based platforms provided a cost-effective and smooth way to embrace digital transformation and transition from outdated systems to innovative applications. It levelled the playing field and gave companies of all sizes the ability to compete—whether they were a new kid on the block, whose systems were born out of agile and scalable technology platforms, or a traditional manufacturer who was investing in the cloud to keep up with old adversaries and new counterparts.

Today, spending on public cloud services is still a huge growth area for manufacturing, with IDC predicting that discrete manufacturing, in particular, will spend more than $20 billion on it this year—accounting for more than one-third of the worldwide total spend. Process manufacturing will spend an estimated $15 billion. With so much being invested in cloud-based services, it is vital to get the most out of every penny spent.

Look before you leap

Cloud technologies are certainly accessible and more affordable. However, is the ease with which manufacturers can get up and running with new technology and applications coming at a cost? With cloud being the ‘new normal’, is the industry, in fact, leaping first and looking later? For all the benefits it can bring, unless cloud technology is adopted in the right way, businesses will struggle to make the move towards digital transformation work. 

Gartner suggests that despite cloud being one of the most valuable innovations in current IT and business strategies, it can fail to live up to expectations and is often misunderstood. The analyst firm predicts that as a result, through 2020, 95 percent of cloud security failures will be due to customers not understanding cloud security, or the skills necessary for successful cloud implementation. This sentiment is reflected in research, with a quarter (26 percent) ¹ of the people admitting they lack understanding when it comes to cloud technologies.

Getting the most out of investment

The cloud is not simply about being able to compete, but to differentiate. However, there is currently a gap between using and really utilising all of the benefits afforded by cloud, in order to make this ideal a reality. Key steps need to be taken to help get the balance right between enabling innovative technologies and using the cloud to your advantage. This can only be done from a position of trust and knowledge, to take cloud-based services from playing a purely functional role to becoming a strategic part of business success and growth.

Understanding the potential is vital in reaping the benefits. As well as providing business agility and the ability to adopt innovative technology fast, using a cloud-based model can improve operational visibility, analysis and insights. This means that manufacturers can react more quickly to changing market conditions and customer demands, as well as make business decisions based on deeper insight not just intuition. 

Taking enterprise resource planning (ERP) as an example, a cloud-based solution not only provides flexibility and scalability but can also empower IT departments to support more strategic growth initiatives by giving them time to focus on more value-added tasks. Keeping pace with innovation can be easily achieved with upgrades to services taking place quickly and with minimal upheaval.

Metal-Tech Partners is just one example of a company who has used cloud-based ERP to help transform and grow its operations—from a supplier of telecommunications products, to a multi-million-dollar business, providing custom-manufactured parts and services to an international audience. The modular system provides end-to-end scalability and flexibility to meet the company’s demanding needs. Any new information or changes take immediate effect through the system—providing up-to-date customer, operational, and financial visibility across the organisation.  

However, managing any change should also be high on the agenda to ensure it achieves business objectives. Getting buy-in and making sure users understand the technology and how to get the most out of it is vital. As well as unlocking value to aid business growth, using cloud-based services can also help companies realise environmental obligations, by harnessing the collaborative power of the cloud and saving energy as a result. 

Adopting cloud is just the first step. Unlocking its potential is where the real value comes in.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

It may sound like an amalgam of a James Bond and a Jason Bourne film title, but Google may have reached ‘quantum supremacy’ in what was described as “a milestone towards full scale quantum computing.”

Quantum computing, while still at a very early stage, is becoming something of a key battleground for the biggest cloud companies. The technology is based on the principles of quantum mechanics, where subatomic particles can exist in more than one state at any time, leading to significantly greater computation.

While the ceiling is almost unsurpassable, the brittle conditions – the merest change in temperature or ambient noise will render qubits awry – mean a long journey of research ahead. Take a project from Microsoft announced last year which aims to ‘break’ RSA encryption in 100 seconds. For classical computers, such a task would take one billion years.

Google’s achievement is no less impressive. Researchers have put a quantum computer, named Sycamore, through its paces with a series of operations which would take a supercomputer approximately 10,000 years to complete. The quantum computer finished it in 200 seconds.

As originally reported by the Financial Times, the findings appear in a paper prematurely published to a NASA website. The test involved sampling the output of a pseudo-random quantum circuit leading to ‘a nearly random assortment of numbers [which is] extremely difficult to reproduce with a classical computer’, as Science News put it.

At the start of this year this publication reported on an initiative from IBM whereby the company announced the first ‘commercially useable integrated quantum computing system.’ While there was a fair amount of PR razzmatazz involved, the overriding concept was one of advancing quantum computing beyond the laboratory.

This is similar, although writing for CloudTech in October, Travis S. Humble, of the IEEE and Oak Ridge National Laboratory, questioned whether the time was right to go forward. “Many different quantum technologies appear viable for continued exploratory research, [such as] superconducting electronics, trapped ions, and neutral atoms,” Humble wrote. “Each of these technologies face multiple layers of integration complexity that must be monitored, from the low-level physical registers up to application performance.”

“Quantum processors have thus reached the regime of quantum supremacy,” the report noted. “We expect their computational power will continue to grow at a double exponential rate: the classical cost of simulating a quantum circuit increases exponentially with computational volume, and hardware improvements will likely follow a quantum-processor equivalent of Moore’s Law.

“In reaching this milestone, we show that quantum speedup is achievable in a real-world system and is not precluded by any hidden physical laws,” the paper adds.

You can read a plaintext version of the report here.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

When evaluating public cloud providers,  it is easy to get hung up on the differences. AWS, Microsoft Azure, and Google Cloud each have their own terminology, pricing, service catalog, and purchasing variations. But do these differences ultimately matter? 

Compute options

Though we are able to align comparable products across AWS, Azure, and Google Cloud, there are of course differences between these offerings. In fact, with the number of products and services available today (we’ve counted 176 from AWS alone), comparing each is beyond the scope of this article.

For our purposes, we can compare what is still the core product for cloud service providers: compute. Compute products make up about two thirds of most companies’ cloud bills, so the similarities and differences here will account for the core of most users’ cloud experiences.

Here’s a brief comparison of the compute option features across cloud providers:

Of course, if you plan to make heavy use of a particular service, such as Function-as-a-Service/serverless, you’ll want to do a detailed comparison of those offerings on their own.

Pricing

That covers functionality. How do the prices compare? One way to do this is by selecting a particular resource type, finding comparable versions across the cloud providers, and comparing prices. Here’s an example of a few instances’ costs as of this writing (all are Linux OS):

For more accurate results, pull up each cloud provider’s price list. Of course, not all instance types will be as easy to compare across providers – especially once you get outside the core compute offerings into options that are more variable, more configurable, and perhaps even charged differently (in fact, AWS and Google actually charge per second). 

Note that AWS and Azure list distinct prices for instance types with the Windows OS, while Google Cloud adds a per-core license charge, on top of the base instance cost.

The table above represents the default On Demand pricing options. However, each provider offers a variety of methods to reduce these base costs, which we’ll look at in the Purchasing Options section.

Terminology 

At first glance, it may seem like the cloud providers each have a unique spread of offerings. But many of these products and services are quite similar once you get the names aligned. Here are a few examples:

Obviously, this is not a sign of substantive differences in offerings – and just goes to show that the providers are often more similar than it might appear at first glance. 

Purchasing options

Comparisons of the myriad purchasing options are worth several articles on their own, so I’ll keep it high level here. These are the most commonly used – and discussed – options to lower costs from the listed On Demand prices for AWS, Microsoft Azure, and Google Cloud. 

Reservations

Each of the major cloud providers offers a way for customers to purchase compute capacity in advance in exchange for a discount: AWS Reserved Instances, Azure Reserved Virtual Machine Instances, and Google Committed Use discounts. There are a few interesting variations, for example, AWS offers an option to purchase “Convertible Reserved Instances”, which allow reservations to be exchanged across families, operating systems, and instance sizes. On the other hand, Azure offers similar flexibility in their core Reserved VM option. Google Cloud’s program is somewhat more flexible regarding resources, as customers must only select a number of vCPUs and memory, rather than a specific instance size and type. 

What about if you change your mind? AWS users have the option to resell their reservations on a marketplace if they decide they’re no longer needed, while Azure users will pay a penalty to cancel, and Google users cannot cancel.

Spot and preemptible instances

Another discounting mechanism is the idea of spot instances in AWS, low-priority VMs in Azure, and preemptible VMs, as they’re called on Google. These options allow users to purchase unused capacity for a steep discount. The cost of this discount is that these instances can be interrupted (or perhaps Azure puts it best with their “evicted” term) in favor of higher priority demand – i.e. someone who paid more. For this reason, this pricing structure is best used for fault-tolerant applications and short-lived processes, such as financial modeling, rendering, and testing. While there are variations in the exact mechanisms for purchasing and using these instance types across clouds, they have similar discount amounts and use cases.

Sustained use discounts

Google Cloud Platform offers another cost-saving option that doesn’t have a direct equivalent in AWS or Azure: Sustained Use Discounts. This is an automatic, built-in discount for compute capacity, giving you a larger percentage off the more you run the instance. Be aware that the GCP prices listed can be somewhat misleading, as a sustained use discount is already built in, assuming full-month usage – but it is nice to see the cloud provider looking after its customers and requiring no extra cost or work for this discount.  

Contracts

A last sort of “purchasing option” is related to contract agreements. With all three major cloud providers, enterprise contracts are available. Typically, these are aimed at enterprise customers, and encourage large companies to commit to specific levels of usage and spend in exchange for an across-the-board discount – for example, AWS EDPs, Azure Enterprise Agreements. As these are not published options and will depend on the size of your infrastructure, your relationship with the cloud provider, etc., it’s hard to say what impact this will have on your bill and how it will compare between clouds. 

The 'it' factor

There’s also just the pure perception of the differences between cloud providers.

For instance, some may perceive Azure as a bit stodgy, while Google Cloud seems slick but perhaps less performant than AWS. Some appreciate AWS and Azure’s enterprise support more and find Google Cloud lacking here, but this is changing as Google onboards more large customers and focuses on enterprise compatibility. 

There are also perceptions regarding ease of use, but actually, we find these to be most affected by the platform you’re used to using. Ultimately, whatever you’re most familiar with is going to be the easiest – and any can be learned.  

Do the differences really matter?

On some of the factors we went through above, the cloud providers do have variations. But on many variables, the providers and their offerings are so similar as to be equivalent. If there’s a particular area that’s especially important to your business (such as serverless, or integration with Microsoft applications), you may find that it becomes the deciding factor.

The fact of the matter is, you’re likely to be using multiple clouds soon, if you’re not already – so you will have access to the advantages of each provider. Additionally, applications and data are now more portable than ever due to containers.

So, prepare yourself and your environment for a multi-cloud reality. Build your applications to avoid vendor lock-in. Use cloud-agnostic tools where possible to take advantage of the benefits of abstraction layers. 

Even if you’re only considering one cloud at the moment, these choices will benefit you in the long run. And remember: if your company is telling you to use a specific cloud provider, or an obscure requirement drives you to one in particular – don’t worry. The differences don’t matter that much. 

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Maggie Holland

Nik Rawlinson