Today’s organisations have increased flexibility in managing different types of IT workload – be it choosing to build their own infrastructure, housing it in an external data centre, or getting public cloud services. Each approach offers their own unique advantages. Public cloud services, in particular, are gaining popularity due to the cost efficiency and business agility they offer, which enables organisations to react rapidly to business changes.
However, there is an apparent lack of confidence in cloud security which may be hindering organisations from choosing the Enterprise Resource Planning (ERP) system that is best suited for their business and security needs and resources. Having a good understanding of on-premise and cloud infrastructure will minimise the blind adoption of either application – which may end up in organisations having to incur exorbitant costs in exchange for minimal benefits.
Why organisations are holding back on cloud adoption?
Security is a key reason that makes some organisations sceptic about adopting cloud. According to Cybersecurity Insiders Cloud Security Report, nine out of ten cybersecurity professionals confirm that they are concerned about cloud security. After all, ERP systems house some of the organisation’s most critical information – including company financials, trade secrets, client lists and more.
To help alleviate such concerns, organisations should get smart about cloud cybersecurity in order to have a better assessment of the suitability of the application to the business. Legacy security tools are limited in the cloud – Cloud Security Report has found that a staggering 84 percent say traditional security solutions either don’t work at all in cloud environments or have very limited functionality.
The lack of understanding of cloud security is further exacerbated by misinformation around cloud computing. Organisations are either distrustful or place too much trust on the public cloud, for instance. Those of the former opinion believe that the public cloud is not secure, even though the business model of public cloud providers is wholly dependent on security. On the other hand, there are also organisations who trust the cloud to be so secure, that by extension, so are the data and applications within it.
To understand the difference in security requirements for both applications, organisations need to first understand how both applications differ in the way they function. The biggest difference between these two systems is in the way that they are being deployed. On-premise applications require physical servers and applications that are stored on-site, whereas cloud applications are housed in a cloud infrastructure that is located at the provider’s data centre. This means that server management responsibility is either undertaken by the organisation itself, or an outsourced provider.
By extension, on-premise systems are generally considered as capital expenditures, while cloud-based systems will come under operating expenditures. Cloud has enjoyed an uptick in adoption rates due to its lower cost of entry, and its ability to increase efficiency, better scalability and faster deployments.
The security strategy for organisations with on-premise applications will most likely follow a similar and familiar strategy, which may be the reason why some organisations still prefer on-premise applications: strengthen the network perimeter using a firewall and supplementing this with third-party security applications. The same approach, however, cannot be wholly applied to cloud applications and organisations will need to offer the necessary cloud data security in order to fully harness the benefit of cloud adoption.
Traditional security tools are often not suited for the challenges of dynamic and virtual cloud environments. Security teams need to reassess their strategies and posture when adopting cloud and not adopt a ‘lift-and-shift’ approach. The lack of knowledge around proper cloud security, as well as a shortage of skilled cloud and cybersecurity professionals, have created misinformation and concerns about cloud security, which may hinder businesses from adopting the solution altogether.
The security of public cloud requires collaboration and sharing of responsibilities
Before adopting cloud, organisations need to develop an understanding of what the cloud can offer, and what it cannot. The cloud can provide businesses with powerful benefits, such as cost savings, time-to-value, and agility. Equally powerful are the security issues that come with cloud adoption, therefore it may be wise for organisations to focus on their readiness for cloud security before making it the ERP of choice.
Businesses must also keep in mind that when it comes to transformation and cloud adoption, these important aspects must be aligned: people, process and technology. Only then can organisations reap the full benefits of cloud adoption and leverage its potential to provide them with the flexibility it needs to manage and use data and applications. This is where organisations need to know that cloud security is based on a shared-responsibility model. While cloud providers are responsible for the security of their infrastructure, the onus is on organisations themselves to secure their data and applications stored in that infrastructure.
This shared-responsibility model is certainly different from securing on-premise resources so organisations to rethink their cybersecurity strategies before deciding which ERP works best, and which security controls to implement.
In addition to ensuring that the technology is secure, the biggest hurdles that organisations face when considering cloud adoption is people and processes. The availability of trained staff, as well as issues around data privacy and lack of integration with existing on-premise technology, are key issues that organisations need to keep in mind before making the move to cloud applications.
Lastly, the emergence of the ‘polycloud’ or the adoption of cloud services from multiple cloud providers now requires organisations to consider security in a multi-cloud environment, where every cloud provider has a different framework and a different set of security tools. Organisations have to build a uniform security framework across all these services being delivered from the cloud. It is possible using third-party security vendors which can help with this framework.
Security is static but DevOps is dynamic, which makes them go in opposite directions. In order to ensure the benefits of cloud are maintained, the security framework should also be automated to keep up with the development of the business.
Three steps to cloud confidence
To leverage the full benefits of the cloud, organisations need to ensure consistent, automated protection across multi-cloud deployment in order to prevent successful cyberattacks. Confidence in cloud can be increased with these three steps:
#1: Keep up with the speed of cloud. The move from servers to services can present a learning curve for security teams. Organisations need to understand the security solutions required in order to be able to keep pace with the demands of cloud security without limiting its capabilities
#2: Embrace the shared responsibility model. Public cloud providers have the responsibility of security of the cloud, while organisations have the responsibility of security in the cloud. Public cloud providers secure the global infrastructure which includes facilities of compute, storage and database, while organisations will need to secure all aspects of their environment in the public cloud such as networking configurations and encryption usage
#3: Secure multi-cloud infrastructure with automation. Adopt a ‘security-by-design’ mindset and simplify cloud security management in order to achieve consistent protection.
Bisham Kishnani, Head Consulting Engineering, Asia Pacific, Palo Alto Networks