Cybersecurity will remain a top priority – indeed, perhaps the top priority – in cloud computing for the median term. When the data is sensitive or where laws require it, organisations are looking to sovereign cloud as part of the solution.
According to Nigel Phair, enterprise director, UNSW Institute for Cybersecurity, and also a non-executive director on a number of boards, “The whole business case surrounding sovereign cloud is that this information is so sensitive, is so serious that it should be domiciled, say, in our perspective, in the Australian environment,” he said.
Apart from the risk of nation-states granting their sticky fingers the right to grab company data, there are also increasingly aggressive privacy regimes reflecting consumers' concerns around the world.
“Germans don't trust companies with data. Americans don't trust the government with data and China wants data right,” Robert Potter, co-founder and co-CEO at Internet 2.0 and an advisor to the US Department of State said.
Their views are consistent with research out of organisations like Gartner.
“From a range of macro, economic and societal level reasons, which we, in summary, call digital geopolitics, we're going to see some differences in terms of cloud computing heading into 2025 and beyond towards 2030.”
He said Europe offers a great example. “They've got a strong desire to increase their digital sovereignty. So they want to be less reliant on foreign entities in terms of their dependence on cloud computing, in fact, computing overall.”
That informs whom governments trust to provide their cloud and wider technology architecture, as companies like Huawei and Alibaba have already discovered.
According to Potter, “If your racks are in China, basically, if you can touch the box you own it, is the general rule of it, right?”
Hacking is so much easier if you can physically get hold of the box, he said.
Potter told iTnews, “In cloud, the most dangerous way is at the infrastructure level of the cloud provider itself. Take the Huawei national data centres of Papua New Guinea, for example, Huawei gave themselves a universal access pass to the whole cloud infrastructure, so there isn't much you can do if the bad guy owns the metal.
“You want to think about where you put your cloud data because the first question is the provider question more so than the actual setup of your instances. The first thing is, don't buy the wrong cloud. Because if the bad guy can just turn the knob at the bottom and empty all your stuff out, then you've got no hope.”
The problem is potentially even worse than that, he suggested.
“The other component is, if that cloud provider is immature, the bad guy can exploit the cloud instance, to move laterally across multiple customers and drain them all at the same time. That's what we saw APT10 do. They're an operation group out of Tianjin in China, about an hour east of Beijing, they work with the MSS (Ministry of State Security), they hit a bunch of customers by simply moving laterally through infecting all the cloud layer. They hit the infrastructure layer of the cloud, not the user layer.”
However, the vast majority of cloud breaches are still done using compromised user credentials.
“It's a case of getting all the basic cyber right. Outsourcing cloud does not mean outsourcing risk, you still own the risk. That is a key principle a lot of people don't adhere to, and they get into big trouble. Getting the user controls, the access controls is absolutely vital to getting it done.
Organisations need to treat the cloud environment like it's part of the enterprise, and behave accordingly Potter said, “[Just] as you would do as if that server was sitting in your own office.”