Don't forget about your data in the rush to take advantage of the cloud's benefits. That, in a nutshell, is the advice from Greg Hoffer, vice president of engineering at GlobalScape.
"We want to help people with the gnarly transition to the cloud," Hoffer said. "Our position is really about the data security angle." The cloud's operational efficiencies, cost savings, and scalability have been "almost beaten to death," he said in a recent interview, but the idea of data security within and across corporate boundaries still entails challenges.
"It can be done, but it has to be a first-class citizen," he said. Moving to the cloud can be "almost too easy" – and "suddenly you've got the Republican party losing data through an analytics firm" as well as other data leaks. Last year in particular was a real "eye opener about how some people misconfigured" crucial cloud settings, Hoffer said.
He'll give more specific suggestions for how to do that in his upcoming presentation at the Interop ITX conference, titled "Cloud migration 101: 10 steps for secure, successful IT transition," on May 3.
Cloud providers aren't inherently less secure than on-premises data centers, Hoffer said, but it takes some thought and care to make sure your data remains safe. Another example of why that is true, he said, surfaced last year: The Spectre flaw, which attacked industry-standard microprocessors. Because of the nature of physically shared cloud architectures – also called multitenancy. "Even if I trust Amazon, the hardware architecture itself left everyone vulnerable," Hoffer explained. "Data stewarded on-premises didn't have that issue."
The idea, then, is for customers to rethink some of the things they might want to put in the cloud versus keep in house, he said. An older, on-premises CRM system may be difficult to update, and it may make sense to go to SaaS for that because of the savings. But with, say, financial transactions on an accounting mainframe, "That's high risk, high value. Maybe you keep that on premises," Hoffer said. "I can have complete control over that audit trail."
One promising trend is the increasing pressure on cloud providers to adopt better monitoring systems; "The tooling is getting better," Hoffer said. Likewise, third-party cloud brokers are becoming more popular to help customers manage and monitor security.
The burgeoning popularity of the DevSecOps movement has also helped put a spotlight on the data issues. "We're starting to see data-centric DevOps and a focus on stewardship of data," he said.
Another development in this space has been the advent of privacy regulations, especially the General Data Protection Regulation (GDPR), which takes effect throughout the European Union in May. The goal is to protect the data of any EU citizen, and the onus is on companies to take necessary measures to do just that.
"As much as we hate the government telling us what to do, these are to help keep citizens safe," Hoffer said. In turn, these regulations – including PCI, HIPAA and state-specific laws in, say, California – will drive the industry toward more and better security, he added.
GlobalScape has adopted GDPR, he said. The regulation is a model regardless of whether he has EU-based customers or not. "Why wouldn't you apply those, and let your customers know – it makes consumers more confident."
Going forward, AI and machine learning will play a key role in data security. The scale of data analytics and the Internet of Things, in particular, is so great that if "we point AI and ML and that, we'll have an audit trail and a learning system to detect security problems," he said. "Not just based on IP traffic patterns, but also with the use of APIs."
Effective businesses are "good at understanding where they can place their trust," Hoffer said, and a big part of that is choosing the right path for cloud migration. "It's not a big bang; you can't move everything at once."
First and foremost, with any cloud migration strategy, customers need to determine their objectives for the move. "More often than not, it's for operational efficiencies, and that's not a bad goal," Hoffer said. But "someone needs to raise their hand and say, 'Let's compare that with the risk. You need to understand how the risk impacts your goals."