IT software and services company Tieto has outlined some of the key issues chief information officers (CIOs) need to consider when managing cloud-based services.
The guidance comes from Simo Nurmi, head of enterprise cloud business development for Tieto.
He has been working with cloud services for 10 years and provides guidance on finding the right multi-cloud solutions for clients.
He points out that security management in multi-clouds may be complex, but it can be managed with the same kind of processes and practices that are already in place for data centres.
Nurmi says 70% of CIOs think that online security is a top three priority for them, yet only 40% have plans to invest.
Despite this, by end of 2017, 65% of IT capacity was expected to be off-site as demand for cloud services rocketed.
In setting out five key areas of focus, Nurmi said: “Some of the practices are not expensive to implement but might need a change in your processes. It’s worth noticing, that they might also increase your efficiency.”
1. Implement a security model
Companies need a security framework to rely on in multi-cloud. Nurmi calls it the ‘security onion’ model, where the more levels an attacker must penetrate to access a valuable resource, the better the chances are that the attack will not be successful.
He said: “You should design your service to have numerous layers protecting any sensitive data. This way, you can ensure that if one security measure is breached, other obstacles will be in place to keep the attacker at bay.”
2. Introduce a data classification process
Organise data into categories for its most effective and efficient use. This identifies and highlights which data is most valuable and it can be a swift way of finding and retrieving your data. Nurmi added that it also helps you with risk management and compliance.
Sample categories could cover highly-sensitive data, sensitive data, less sensitive internal data and public data.
3. Centralise some operations
It is important in some cases to know who did what to systems, as well as when and why. A centralised approach gives common access control, auditing and storage of logs.
Nurmi said: “By managing accesses to private and public clouds through integration with enterprise directories and role-based access rights, you can prevent unauthorised access to services and have control over user access.”
4. Authenticate your workloads
Using SSH keys is essential, according to Nurmi, especially to grant access to a company’s public cloud workloads. To enhance security in public cloud production environments, it is worth investing time in designing service catalogues and considering accepting only certified access.
Nurmi said: “Many organisations are using this already in relation to mobile devices to allow access to emails and calendars, but notably, not production environments in public clouds. It really is worth thinking about where your most valuable data is stored.”
5. Have consistent policies
Global public clouds can be difficult because there may be unique industry or national regulations that require compliance. Multi-cloud environments allow local players to be introduced when needed.
Nurmi added: “A local partner will continuously monitor and update the content of the services, based on the regulations of the environment you are doing business in, and is aware of your multi-cloud strategy.”
Full details of the guidance are available in a Tieto whitepaper.