Keumars Afifi-Sabet

Rene Millman

Bobby Hellard

Cloud computing. Cloud-native computing. Software as a service. They're all secure and reliable. Except when they're not.

Recently, we've seen Microsoft Azure suffer an extended outage and Docker Hub get hacked. Organisations deploying SaaS applications often assume the vendor provides adequate data protection and they neglect the need for backup. However, the last few years have seen massive outages among some of the major cloud and SaaS providers that seem to have brought down the internet; service outages that might or might not have halted productivity within thousands of companies; and any number of SaaS start-ups shutting down, getting hacked or simply just losing data.

Higher standards of customer experience are driving demand among end-users for always-on services. As a result, end-user tolerance for disruption is at an all-time-low. Simultaneously, end-users now have the power to publicly vent their frustrations with disrupted organisations via social media, thus exacerbating the overall reputational damage of service outages.

Combined with the threat of disruption causing a breach of regulatory compliance and landing organisations with huge penalties such as those stipulated in the GDPR, it is understandable why some organisational leads may hesitate when migrating operational infrastructure to the cloud.

But, of course, clinging to the past would be crazy for any company that actually wants to remain competitive by using and building cutting-edge applications. For all but a small handful of companies (some of which actually run public clouds), there is no realistic vision of a successful future that doesn't involve some combination of clouds, containers and SaaS – probably all three.

The trick is adopting these things intelligently and accounting for the very real possibility that something will, at some point, go wrong. To support any cloud hosted applications, an effective back-up strategy needs to be put in place. The same goes for each SaaS application.

What the best solutions look like will vary widely based on the company, although it seems logical to settle for nothing less than cloud-native best practices around high availability and automated security patching. That means building resilience into the compute, storage and networking tiers, designing apps that tolerate component failure, and sometimes using multi-cloud platforms.

And while container security is a newer concern than, say, VM security, there are a lot of tools-from start-ups, large IT vendors and even open source communities-that can provide peace of mind. A SaaS application that doesn't let you export your data is probably not a SaaS application worth using, but the good news is there's no shortage of SaaS applications.

For example, application components can be automatically patched and upgraded, while application infrastructure should regularly be re-paved in order to expunge any system-level malware or advanced persistent threats. At the application level, a growing number of organisations are adopting tools that automatically scan code for vulnerabilities and offer guidance on how to remedy them.

Ultimately, the process of SaaS backup is similar to backing up a standard but complex on-premise application. Look at the whole service and ensure all the components and dependencies are covered in the back-up plan. When managing a SaaS application, the nature of the business is providing services to consumers, not internal staff. The stakes – in terms of both reputation and financial impact – can be significant. It is essential that, as a provider, any disruptive issues around providing the service are mitigated as much as possible. Backup is part of that continuity planning.

What businesses can't do is let fear and uncertainty get in the way of progress, which is what cloud computing, however defined and in all its forms, ultimately delivers. Getting things like security and reliability right might require spending a little more time and money on software, engineers, and maybe even lawyers, but the payoff over the long term should make up for any early investments many times over.

In today’s business environment, settling for the status quo isn't a viable option, thinking ahead is a much better option than rushing into the cloud and ending up on the receiving end of an outage, breach or other large-scale incident that could have been avoided with just a little forethought.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

A survey of C-suite executives from Nominet has found that, for more than half of respondents, cloud security remains a concern – which becomes even more critical when multi-cloud comes in.

The study, which polled 274 CISOs, CIOs and CTOs, found 52% were at least moderately concerned about security with regards to cloud adoption. One in five respondents said they were ‘very’ concerned, compared to one in 10 who said they were not at all concerned.

Almost half (48%) of those polled said their organisation had a multi-cloud approach. Yet respondents using a multi-cloud approach were significantly more likely to have suffered a data breach – 52% affirmed this compared with only 24% of hybrid cloud users.

When it came to the specific threats organisations face, respondents were most concerned over exposure of customer data, increased threat surfaces, and improving cybercriminal sophistication.

Almost two thirds (63%) of those polled said they already outsourced certain security services to managed providers. CNI, hospitality and transport were industries less likely to outsource some of their security operations. “Most organisations are happy to outsource when it comes to security, and appear to believe the practice improves their security profile,” the report notes.

The report naturally went through the rigmaroles of cloud adoption statistics, of which a selection is presented herein. The most interesting aspect was that Google Cloud proved the most popular choice of the big clouds, with 56% saying they used it. AWS (32%), perhaps even more interestingly, finished flat last, behind Azure (36%), Oracle (44%) and IBM (49%).

88% of survey respondents said their organisation was either currently engaged in, or planning to, adopt cloud and software as a service (SaaS). 71% overall said they had adopted SaaS, compared with IaaS (60%), PaaS (30%) and business process as a service (BPaaS – 30%). A quarter of respondents said they had function as a service (FaaS) installed.

“The maturity of the cloud means that not only are businesses willing to use it for the delivery of operations and IT services, they are also embracing it for security tools and managed services,” the report notes. “And as businesses look at how the cloud can help make them more secure, ease of integration is top of mind – whether that’s with on-premise applications or other cloud services.

“The move to the cloud won’t be an all-encompassing migration,” the report adds. “Businesses will want to make the most of existing investments and only adopt cloud alternatives once these have reached the end of their product lifecycle.

“Organisations today therefore need cloud security tools that are flexible enough to secure the enterprise as it is today, and as it will be tomorrow.”

You can read the full Nominet report here (email required).

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

Any regular reader of this publication will have noted the regularity in which the largest cloud players – Amazon Web Services (AWS), Microsoft Azure, Google Cloud et al – post solid quarterly financial results. While Wall Street may not have been happy with all of the postings, growth has remained, albeit dipping from the three figure climbs in previous years.

This hyperscaler growth has often been backed up with strong spending across hardware assets. Yet two research companies have noted a decline in the most recent quarters across their industry segments. Both have blamed downturns in China for the change, although it will by no means be an irreversible decline.

Synergy Research, a long-time cloud infrastructure market analyst, noted in August that hyperscaler capex was down 2% based on year-by-year figures. The most recent quarter saw more than $28 billion in spending.  The first quarter of this year, although nearer $25bn, followed a similar pattern. Q118’s figure was still above it, even accounting for the one-off spend of Google buying Manhattan real estate for $2.4bn.

China’s expenditure declined by 37% year on year in Q2, Synergy noted, with Alibaba, Tencent, JD.com and Baidu all reluctant to spend. All other areas saw nominal increases; the US saw the most with 5% yearly, ahead of EMEA (3%) and the rest of APAC (2%). Taking China out of the mix would see overall figures jump 4% year on year.

Synergy’s figures come from the data centre and capex footprint of 20 of the world’s largest cloud and internet service firms. The ‘big five’, in this instance Google, Amazon, Microsoft, Facebook and Apple, usually dominate.

“Usually it is the big five that dictate the scale and trends in hyperscale capex, but the drop-off in spending in China has been so marked that an otherwise strong worldwide growth story has been transformed into a modest capex decline,” said John Dinsdale, a chief analyst at Synergy.

This situation is echoed when it comes to data centre switches. According to telecom and network analyst Dell’Oro Group, ‘weakness in China’ suppressed data centre switch market growth in Q219. The decline was the first seen in five years, down to both a slowdown in spending from cloud service providers and enterprise, as well as continued uncertainty over Huawei.

“In contrast, data centre switch market revenue in North America managed to grow despite a slowdown in spending by major cloud service providers,” said Sameh Boujelbene, Dell’Oro Group senior director. “Most of the slowdown was driven by reduced server purchases while data centre switches performance well. Large enterprises also contributed to the growth in North America as they accelerated their 100 GER adoption and helped Cisco emerge as the new leader in 100 GE revenue in Q219.”

“The situation in China is likely to be a short-term phenomenon, however, as the four Chinese hyperscale operators continue to grow revenues more rapidly than their US-headquartered counterparts,” Dinsdale added. “After some short-term financial belt-tightening, we expect to see Chinese capex rise strongly once again.”

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

In the new digital economy, data is the most valuable asset a company possesses. However, according to a recent survey by IDC, the spending ceiling for data security is as low as six per cent of the total security budget. Understandably, many information security professionals are feeling the pinch – and increasingly burning out and leaving the industry according to Goldsmiths, University of London – and companies aren’t spending enough on data security to prevent bad attackers from swiping the family silver.

At the same time, large-scale digital transformation projects continue to be high-profile news. The IDC report also found that 97 per cent of respondents were using sensitive data on new technologies as part of digital transformations, but fewer than 30 per cent were using tools, such as encryption, to keep that data secure within these environments.

This lack of security is a worrying trend when security should be included by design in digital transformation projects and implemented as early as possible in this new approach to the software development lifecycle.

Securing software

Software is eating the world; Marc Andreessen’s famous description of the need for every company to become a software business has been devoured by enterprises, but this rapid process of change has given many organisations indigestion and security headaches to boot. These investments are strategic ones, but they can often move ahead far faster than security teams can get involved.

Behind these changes, there are some bigger IT adoption trends taking place too. For example, environments have changed; many enterprises have moved from private cloud to hybrid cloud and are now embarking on multi-cloud. Our own  Modern App Report found that multi-cloud adoption had doubled year on year to around 10 per cent of companies.

Similarly, application architectures have shifted from the traditional three-tier, client-server approach to new microservices-based approaches. The technology stack is now shifting to containerised applications that are orchestrated by the likes of popular open source platforms such as Kubernetes. The responsive, flexible and scalable capabilities of these technologies has yielded significant performance and efficiency gains but it has added greater complexity.

The ephemeral nature of technologies, such as Docker and Kubernetes, has meant that the security tools used to collate data from these applications like security incident and event management (SIEM) are unable to keep pace with the rate of change taking place. Without this data and insight into your company’s applications and data, it’s simply not possible to gain insight into your security posture.

Planning out any digital transformation project should requires a thorough security needs assessment too. If done correctly, this provides a complete overview of your operating conditions and how processes operate, and it helps meet the business demands that digital transformation projects require.

Implementing a data-driven baseline as part of this process is also a vital way of protecting your enterprise. Using machine data – all the data created by all the applications, infrastructure components, cloud services and more – should supply more meaningful insights from metrics, logs and thresholds that you can evaluate in the current infrastructure and assess again once the project is live and running. 

The right DevSecOps tools

Getting this visibility around the cloud can help development, security and operations teams converge their approaches. This convergence – commonly called DevSecOps – involves making security into a continuous process that is part of the development lifecycle. This convergence can help maintain the speed of digital transformation while also ensuring security rules get followed from the start.

A DevSecOps approach differs to old delivery pipeline methods in that traditional software development priorities have not tended to address software vulnerabilities from the start. When software development relies on integrating third party programme components or publicly available images to create these services, this supply chain element becomes more important for all the teams involved.

Alongside this, there is a common assumption that DevSecOps is only about making sure that your security teams are working with developers and IT Ops teams. However, DevSecOps should go deeper than that in order to be successful. It’s an approach that sees security as code, building data protection and privacy thinking into the code itself from all stages: starting in design and architecture through to development, QA, pre-production and into production.

In practice, this means working with development teams on code is delivered in small updates and building security checks into the process so that any vulnerabilities can be spotted quickly before they go into production. This involves taking a more proactive approach that sees compliance monitoring baked in as well. This effectively positions your organisation in a constant state of audit readiness.

As you may have guessed, time-consuming manual security analysis and auditing will slow down the frequency and speed of software delivery. Automation is therefore integral to the success of DevSecOps, as areas such as threat investigation must be ongoing for any emerging threats and vulnerabilities as they are identified with code analysis. Using automated scans and analysis of data across the application, DevSecOps teams can concentrate on where they can provide the most value rather than on spending time on manual correlation of potential issues.

Empowering IT teams

The DevSecOps principles should not be seen as a silver bullet for digital projects; indeed, they are only effective with the right tools and data to power them. Implementing DevSecOps has to be based on a common approach to the applications and services involved. There will be too many interactions taking place to decipher without a unified approach for monitoring and fine-tuning operations.

Making security the responsibility of everyone across IT does mean having to manage different levels of experience around software and security. Generally, software developers don’t have the same history in looking through alerts to discern which ones are serious and should be investigated as risks, while they do have more expertise in new application design practices and how to put services together. Providing the right level of data – and making sure it can be made actionable and relevant for each team – is, therefore, something to consider as you implement your DevSecOps processes.

In a fast-paced environment, security tools that generate too many false positives can be as serious a problem as sticking with manual security testing. If too many issues come through, it can lead to “alert fatigue” and serious issues can be then be missed. By developing a baseline and monitoring alert levels, IT teams can avoid this problem. Similarly, you can automate common responses to potential conditions or threats. At the same time, data can help teams to interact in real time around real risks or potential threats in software systems as they are discovered.

Digital transformation is still gathering pace – more and more organisations are looking at how to improve their agility and keep up with competitors. However, this should not come at the cost of security. In the same way that DevOps is a fundamentally different approach to developing and delivering software, DevSecOps represents a completely different approach to making software secure. This approach is necessary if companies want to get all the potential value of their digital investments and avoid unnecessary risks.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Case study All data is equal, but for some industries, data is more equal than others. As a result, great care needs to be taken when it comes to keeping that data secure, whether in the cloud or anywhere else.

Healthcare, across its various channels, is a classic example. Some healthcare organisations are moving with less trepidation towards the cloud. In February, for instance, a study from Nutanix found that, by 2021, more than one in three healthcare organisations polled said they would be deploying hybrid cloud solutions. At the start of this year, pharmaceutical giant Walgreens Boots Alliance selected Microsoft as its primary cloud provider, with the majority of its infrastructure moving across to Azure.

Regardless of where it is hosted, the non-negotiables for healthcare providers are that the data can be accessed to its demands and that it is unimpeachable.

Abbots Care, a home care company based in Hertfordshire, is like any responsible UK provider under the regulatory jurisdiction of the Care Quality Commission. As managing director Camille Leavold puts it, one data breach could mean the company’s licence is taken away.

Leavold therefore wanted more assurance of how secure her company’s data was – and as a result she turned to managed IT services provider Fifosys.

“About two years ago, we were at a stage where we had quite a lot of data,” Leavold tells CloudTech. “Although we were using a company that said our data was secure and safe, we actually didn’t have any way of being able to evidence that.

“Obviously we’re quite in a compliant sector, and we needed to be able to evidence it. That started us looking,” she adds. “We were also looking for a company that was 24/7, because we are too.”

Mitesh Patel, managing director of Fifosys, went through the standard detailed audit when the work originally went out to tender. Basic questions around the backing up of data, recovery times and sign-off process highlighted risks which ‘weren’t acceptable’ to Leavold, as Patel puts it. Fifosys’ solution ties in to the company’s partnership with business continuity provider Datto, whose technology, according to Fifosys technical director James Moss, is ‘effectively a mini-DR test every day.’

Fifosys runs two official recovery tests a year, with the results sent to Leavold who can then present them to the board. “It’s no longer something hidden where you’ve gone ‘okay, there’s a vendor dealing with it, we’re going to be blind to it,” Patel tells CloudTech. “The recovery process… they get a report, that’s discussed – is this timeframe acceptable? – [and] are there any tests they want to do outside of this?”

Like many healthcare providers, Abbots Care also needs a good ERP system to ensure all its strands are tied up – particularly with care workers out in the field, checking on their tablets and devices which patients they need to see, their medication, and the service which needs to be provided at that time. "There's a lot for Abbots Care that they need to have up and running, and when you're scheduling so many people out in the field, these systems need to be up," says Patel.

Another consoling aspect is that the company’s backup and disaster recovery is all in one place. “[If] you can’t answer the [audit] questions and you’ve got five or six different vendors involved in delivering your backup, your continuity, applications, recovery… it’s fine you’ve got these vendors in, but your recovery time is extended continuously,” explains Patel. “Who’s actually responsible? Whose neck is on the line in the event that something does happen?”

Outages are unfortunately a fact of life, as even the largest cloud providers will testify, but can be mitigated with the right continuity processes in place. “Continuity was a big, big part for them, and then it’s all in terms of protecting the data and having versions of it,” explains Patel.

“There are organisations who say they’ve got four sites, and [they’re] just going to replicate across those four sites and invest in the same infrastructure on all four. That’s very difficult to maintain, administer and manage,” Patel adds. “When you are testing, you find people are only testing one of their sites rather than all four.

“You should be doing four tests at least twice a year – but the time involved in doing that, many people underestimate [it] and then start compromising.”

You can find out more about the case study by visiting here.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.