Understanding Security When Moving to Cloud for Remote Working

By Matt Muschol, Chief Technology Officer, Clearvision 

The COVID-19 pandemic has resulted in an unparalleled increase in employees working from home. This sudden change in the way organisations are now working means that remote access to tools and communications are of the utmost importance.

Organisations that have not already put provisions in place to facilitate home working have been left with no other choice but to migrate their workloads to the cloud in a very short period of time. While it sounds relatively straightforward, remote working is anything but. Technology can ensure that productivity remains high, but both the human and operational aspects bring a new and different dimension to the challenges that businesses face.

In the current climate organisations must also consider other obstacles when rapidly migrating to the cloud, for example how to manage security vulnerabilities for applications that previously were only accessible on-premise and are now very much exposed. Whilst speed of migration may be top-of-mind for businesses, new remote access policies, networks, and devices used for managing cloud infrastructure should not be overlooked whilst making this transition.

This increase in cloud adoption also reignites the fears that cloud environments are less secure than on-premise solutions, which has been a barrier for many organisations. However, according to a report conducted by Nominet, 61% of security professionals believe that the risk associated with a security breach in a cloud environment is the same as or less than that of software installed on-premise. This view is supported by Gartner, which predicts that in 2020 public cloud Infrastructure-as-a-Service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centres.

However, both reports assumed that the transition to cloud would be performed in a measured and controlled fashion, which is far from the reality of many businesses performing migrations in record time due to the COVID-19 situation.

Cloud and managed-service providers, on the other hand, are viewed as security experts – their business depends on it. Cloud providers hire the best industry talent to protect their infrastructure and invest heavily in the latest security innovations for cloud-based solutions. During this pandemic, attitudes have changed for many organisations and, while some remain hesitant, cloud adoption is no longer a choice, it is essential.

In order to balance security risk with the speed of migration it is now more important than ever to choose the right cloud or managed service provider.

Security and Mass Remote Working

But the fact remains that many organisations are ill-prepared for remote working. Many are discovering for the first time the limitations of their technology. On the basis that many organisations do not issue staff with equipment to work from home, they will not have assessed the question of security of such a setup.

One example of the human element of security risk introduced when all staff are remote is a large organisation who moved 3,000 developers onto a work-from-home policy. In the office environment developers would normally lean across the desk to ask a more experienced colleague a question or to seek guidance. Once home-based it was found that the same developers were more inclined to search online for answers. The amount of code that had been cut and pasted from Google increased, which not only created an intellectual-property challenge, but also increased the risk of pasting insecure code into a product.

Additionally, rapid deployment of work-from-home developers is likely to cause challenges with the way some development tools are configured. For a variety of reasons some development tools are usually set up to run in-house e.g. build, continuous integration, library management tools, such as Jenkins, Bamboo, Nexus, Artifactory. The various IT departments who are supporting development tools will be frantically trying to reconfigure such tools for secure remote working.

That said, it is likely that the current COVID-19 situation will be a turning point. Companies will now be far more receptive to having such tools managed by external partners, and it is highly likely that this transition will have lasting effects beyond the current COVID-19 pandemic.

Operational Challenges in the Cloud

So, what can organisations do to ensure their private and public clouds can cope and remain secure?

Basic cloud infrastructures are kept secure by the cloud providers. However, organisations need to consider that both virtual infrastructure and application vulnerabilities may present themselves when migrating to the cloud. Additionally, right now cybercrime is on the rise with cybercriminals increasing attacks in order to target employees working remotely. Bad actors know that this is a time of significant transition, and generally a worrying time for many employees; they will be looking to take advantage of the situation.

Security patching, application security and pen testing processes need to be in place to be able to keep workloads secure. Organisations can use the cloud to tackle the ever-changing demand to digitally transform, but they need to consider the compliance and security requirements that come with migration.

Once organisations have moved to the cloud, there are other steps they can take in order to ensure workloads and employees are secure. Organisations should help employees secure their home networks and look at refreshing all passwords and security policies, introducing multi-factor authentication, for example, wherever possible. Additionally, reminding employees about the policies that they would usually implement to protect company data is advised; businesses should leave nothing to chance, as many employees will have never worked from home before.

Pick the Right Cloud Provider

If it hasn’t already, the days of in-house IT teams running their own infrastructure will change to having trusted managed service providers running the portfolio of devices and clouds. Leaving the management of this to a trusted partner who specialises in cloud-hosted managed services to deliver the solution on an organisation’s behalf allows businesses to focus on core activities. It also allows businesses to benefit from the flexibility and seemingly limitless resources available in the cloud without needing to build an in-house team of cloud experts.

However, organisations that are leveraging cloud services need to communicate frequently with their providers to address future needs and concerns, and a common base level of security and compliance needs to be established. This is to ensure that organisations know what they can do ahead of time to keep their remote workforce secure and operating.

Using Cloud to Your Advantage

As the dynamics of work shift, there has been an increase in how quickly organisations are moving away from a centralised, hierarchical office model. Additionally, in the last few years, the perception of work has shifted from ‘time at desk’ to a more outcome-driven approach that is delivering major advantages to companies and employees alike. In fact, cloud-based project management and virtual teams are quickly becoming the norm. For example, a study by Owl Labs found that over 16% of companies worldwide hire only remote teams. The uptick in productivity when employees work more efficiently and collaboratively is significant.

With the world of business moving to the cloud during this pandemic, no matter where you are on your cloud journey, understanding how to manage operational challenges and security is a top priority. Many organisations, however, are finding that the vast number of options available to them can result in too many blind alleys being followed. Therefore, they struggle to realise the real benefits of cloud and how to stay secure.

It is important for CTOs and CISOs to take a realistic view of the security risks and challenges that cloud can introduce and make sure that they have the resources to be able to ensure they are operating in a secure environment, making it safe for employees to work remotely not just now, but for the foreseeable future.