By Christophe Levier, BU Cloud & Security Director.
Five years after the sad and costly end of the national adventure in the Sovereign Cloud, the Public Cloud has become one of the priority strategies in the Digital Transformation processes of our large companies. Airbus, Veolia, Société Générale, Schneider Electric, Engie ... are now massively migrating their infrastructures, applications and data to the US leaders AWS, Microsoft AZURE and Google Cloud Platform, despite the Patriot Act and the more recent adoption of the Cloud Act by the US in 2018. And the trend is continuing, as IDC predicts that 90% of French companies will have adopted multiple public cloud services and platforms by 2020, while Gartner predicts that public cloud will grow by nearly 20% annually through 2021.
Is the notion of '' Sovereign Cloud'' and the protection of French data and digital heritage out of the equation in the IT strategies of our large companies?
However, various surveys of French IT departments show that security remains their number one concern! However, cybercrime has no borders and the Public Cloud, which is becoming an extension of the company's network, has a very wide exposure that mechanically increases the risks of vulnerability of applications and corporate data, despite the level of security of the operators themselves. Moreover, the number of cyber attacks has seen a 42% increase between 2017 and 2018 worldwide. These are increasingly sophisticated and take place in a proportion of 34%, in Public Cloud environments (Check Point Security Report).
This rapid revolution in IT consumption is disrupting existing organizations and cybersecurity models. Human resources and sales departments are contracting SaaS solutions directly, while finance and marketing departments are managing Big Data, Data Lake and Analytics projects with public cloud operators. In the end, many CISOs have lost complete visibility and therefore control of these operations.
It is therefore imperative for companies to adopt new governance, new tools and new services in terms of security. The model must be adapted to the new IT production perimeter, starting with application development. Code must be analyzed throughout the application lifecycle, and DevOps teams must be educated and trained in vulnerability detection.
Many large companies migrate to the Public Cloud thinking that the Cloud Provider's infrastructure is more secure than the IT department's historical data center. However, in a Public Cloud model, the responsibility for security is shared between the provider and the customer. The customer is always responsible for securing its applications, data and workloads, and the operator is responsible for guaranteeing the security and availability of the data center, services and infrastructure.
It is therefore necessary for companies to quickly and globally question their defensive and offensive security as well as the existing tools: Firewall, Secure Gateway, SOC (Security Operation Center), SIEM (Security Information and Event Management) ... And that they integrate new innovations and technologies optimized for Cloud environments, already available for several years:
- Cloud Access Security Broker (CASB ): tools deployed in the enterprise or in the cloud, positioned between users and cloud services to apply the company's security policies (authentication, access authorization, SSO, encryption, etc.).
- Data Loss Prevention (DLP) modules optimized for cloud environments.
- Web Application Firewalls (WAF ) tailored to target cloud environments.
- Automated patch management tools.
- Advanced encryption software.
- Access protection solutions with high levels of authentication. Two-factor authentication (2FA), based on electronic or physical certificates...).
- Security Information and Event Management ( SIEM ), orchestration and automation solutions for cloud environments.
An essential and strategic approach is to develop security from the design of applications and throughout the entire IT process (Security by Design). Security teams must be involved in all projects and operations... Because we can still observe today many strategic Cloud projects, with security teams called upon in fine, after production or worse, after compromise.
In summary, the adoption of the public cloud is a major trend in our large enterprises that requires rapid reform of strategy, organizational governance, operations and security tools. Security teams need to be trained on the new features, constraints and threats of these environments and collaborate proactively with all other IT departments. Their mission: deploy new technologies to secure public cloud environments.
To meet these requirements, and in line with the increase in our projects in Public Cloud environments, we offer our customers audit, architecture consulting and technical assistance services under the Micropole Go Cloud & Security brand.
Contact: Christophe Levier - clevier@micropole.com
