The Security of Cloud Services and SaaS, Part 2

Daniel Ayala will be posting articles about information security, privacy and compliance in our blog. Throughout his 25 year career, he has led security and privacy organisations in banking and financial services, pharmaceutical, information, higher education, research and library organisations around the world, and both writes and speaks regularly on the topics of security, privacy, data ethics, and compliance. He also happens to be LabArchives Chief Information Security Officer!

Part 2: Technology Secured at Scale

Greetings LabArchives Reader,

Security & Monitoring

There’s a significant benefit to having a single entry point into your network; you can see all the traffic going in and out. One can detect attacks and respond quickly to what is identified as malicious. Coupled with information sharing amongst companies about the types of attacks that each saw and the use of automated blocking tools, this model served us well from a security perspective for nearly 30 years.

With the entrance of the most widely-used enterprise SaaS systems such as Office 365, Google Workspaces, ServiceNow and Workdays, the gravitational centre of the enterprise began its shift out of the local data centre. Layer on a more mobile workforce, working from laptops, phones and tablets, and the expectation that a device would be visible to the internal corporate or university network could no longer be guaranteed, and with it went the ability to have a single security visibility point or choke point. Google chronicled this new operational model as BeyondCorp, and a monumental change in securing applications, data and devices began.

With this shift away from the central, internal network, a new aggregation point for security intelligence arose: the cloud service provider. According to a recent Canalys research report, the three top cloud hosting providers, AWS (32%), Microsoft Azure (19%), and Google Cloud (7%), now account for well over half of all cloud hosting globally. This trend means that there is a new aggregation point for monitoring and intelligence on attacks. It is a view more comprehensive than any one enterprise reconnaissance or threat intelligence efforts could achieve.

The benefit of scale and gravity also extends to security research and development and staff expertise. Major cloud providers have an incentive to build secure infrastructure and keep it secure as that is the whole of their business. Investments in new security techniques and technologies are core for them. They can often invest more significant amounts and make more progress on securing their environments because it is their business; contrast this with the sometimes-held idea that security is a cost for organisations rather than an investment, enabler, or even a competitive advantage.

Also, when security innovations are added into these cloud services, they can be quickly adopted by all the many applications built upon that cloud provider’s offering, thus improving the overall security of the Internet without cost to or requiring significant effort by the hosted organisations themselves. The most basic premise that continuous improvement in security by major hosting services and the following quick adoption by cloud SaaS companies is a hallmark of the essential security benefit that comes with cloud services.