Cybersecurity will remain a top priority – indeed, perhaps the top priority – in cloud computing for the median term. When the data is sensitive or where laws require it, organizations are looking to rule cloud as part of the solution.
According to Nigel Pair, enterprise director, UNSW Institute for Cybersecurity, and also a non-executive director on a number of boards, “The whole business case around sovereign cloud is that the information is so sensitive, is so serious that it should be domiciled. , say, in our perspective, in the Australian environment,” he said.
Besides the risk of nation-states giving their sticky fingers the right to grab company data, there are also increasingly aggressive privacy regimes that reflect concerns around the world.
“Germans don’t trust companies with data. Americans don’t trust the government with data and China wants data right,” said Robert Potter, co-founder and co-CEO at Internet 2.0 and an adviser to the US. it. Department of State.
Their views are consistent with research from organizations like Gartner.
“For a range of macro, economic and societal reasons, which we, in summary, call digital geopolitics, we will see some differences in terms of cloud computing heading into 2025 and beyond to 2030.”
He said that Europe offers a great example. “They have a strong desire to increase their digital sovereignty. So they want to be less dependent on foreign entities in terms of their dependence on cloud computing, in fact, computing overall.
This informs who governments trust to provide their cloud and broader technology architecture, as companies like Huawei and Alibaba have already discovered.
According to Potter, “If your rocks are in China, basically, if you can touch the box you own it, that’s the general rule of thumb, right?”
Hacking is so much easier if you can physically get the box, he said.
Potter told iTnews, “In cloud, the most dangerous path is at the infrastructure level of the cloud provider itself. Take the Huawei national data centers of Papua New Guinea, for example, Huawei has itself a universal access pass to the entire cloud infrastructure , so there’s not much you can do if the bad guy owns the metal.
“You want to think about where you put your cloud data because the first question is the provider question more than the actual setup of your instances. The first thing is, don’t buy the wrong cloud. Because if the bad guy can just shoot the Knot at the bottom and empty all your stuff, then you have no hope.”
The problem is potentially even worse than that, he suggested.
“The other component is, if the cloud provider is immature, the bad guy can exploit the cloud instance, to move laterally across multiple customers and drain them all at the same time. That’s what we’ve seen APT10 do. They’re an operation group from Tianjin in China, about an hour east of Beijing, they work with the MSS (Ministry of State Security), they hit a bunch of customers by simply moving laterally by infecting all the cloud layer. They hit the infrastructure layer of The cloud, not the user layer.
However, the vast majority of cloud breaches are still done with compromised user credentials.
“It’s a case of getting all the basic cyber right. Outsourcing cloud doesn’t mean outsourcing risk, you still own the risk. That’s a key principle that a lot of people don’t adhere to, and they get into big trouble. Get the user Controls, the access controls is absolutely vital to get it done.
Organizations need to treat the cloud environment as if it is part of the enterprise, and manage accordingly, Potter said, “[Just] As you would do if the server was sitting in your own office.”