Guest blog: Real Security in a Cloudy World 

  • techUK techUK
    Tuesday16Jun 2020

    Guest blog: Ashley Ward, Cloud CTO EMEA, Palo Alto Networks, provides some guidance on how to secure cloud resources as part of #Cloud2020

As a business or security professional it’s all too easy to become overwhelmed by the availability and range of cloud services.  Often organisations discover that their technology footprint or stack has changed almost unnoticed and other times it seems to be changing at a frightening pace. 

Fortunately, security principles and risk management best practices still apply in the cloud world.  These principles just need to be applied in the appropriate way for the resources in use. This is sometimes easier said than done! 

What do we mean when we talk about cloud?   

I like to break cloud into 3 areas: 

  • Cloud services 

  • Things like Gmail, Workday, or Salesforce.  These would be Software as a Service (SaaS

  • Cloud compute 

  • Using Infrastructure as a Service (IaaS) or other services in public cloud.  Such as Cloud Service Providers (CSPs) like Amazon Web Services (AWS) or Google Cloud Platform (GCP

  • Cloud native development 

  • Creating and deploying services in a cloud native way and not necessarily running them in public cloud.  Typically breaking applications into microservices, utilising ephemeral runtimes.  The Cloud Native Computing Foundation is a good place to start on this. 

For each of these areas you want to identify what you are using or what you’re going to use while also considering what regulatory or company standards you need to apply.  Do you have to consider data sovereignty?  What types of data are you storing in those services and what happens in the event of data loss/breach? 

Once you have considered these factors the big question becomes what are your responsibilities? Cloud services operate a shared responsibility model.  If I’m making use of S-a-a-S then the areas that I need to secure are vastly different from if I’m using IaaS and spinning up virtual machines in the public cloud.  The CSPs spend considerable time and money to ensure that their responsibilities are fully covered and they are fully compliant.  Unfortunately this gives rise to the myth that the public cloud is by default more secure.  Though it certainly has the potential to be more secure that’s not typically the case. 

To use an analogy that can be visualised in the real world, I can have the most securely designed bank vault but if I choose to leave the door open then the manufacturer can hardly be liable for any losses. 

Now you know what services you have you need to do asset discovery and tracking for those.  Efficient use of cloud services means that resources will be much shorter lived than would be the case on premise.  A weekly scan for assets is no longer enough.  The good news is that having identified which parts of the cloud I’m using (SaaS vs other services) I can focus my efforts in the places that are my responsibility. 

This then ties into a change in the way we are working and the emergence of DevSecOps to bake security into the development process. 

This places a tremendous strain on security departments and brings in a whole new area of security management.  Gartner defines cloud workload protection platforms (CWPP) as “workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures.” 
You’ve now looked at what you’re using, what you’re storing there, what’s in your remit to configure, and what you can do to bake this in from the start.  It seems like a lot because it is.  Fortunately, it is achievable when broken into chunks.  We’re here to help.  At Palo Alto Networks we ensure each day is safer and more secure than the one before. 

This insight is part of techUK's Cloud Week 2020. You can find related news and insights here.

  • Sue Daley

    Sue Daley

    Associate Director | Technology & Innovation
    T 020 7331 2055

Share this


Great write-up from @Dr_Rob_Stoneman of day 2 of last week's #techUKSmarterState conference
In this guest blog @leidos follow up on some of the themes discussed during their session at #techUKSmarterState an…
Help shape local digital housing repairs service - 01 Oct workshop with @LDgovUK funded Housing Repairs project. Re…
Service design tools and techniques unlock ways to improve customer experience even when a service is powered by ha…
We'll close the #UKChinaTechForum with a session on Sustainable Tech for the 21st Century: People, Profit, Planet i…
Next up at #UKChinaTechForum is a great panel on the Future of Industry & Digital Transformation across UK-China te…
Great to kick off the latest UK-China Tech Forum session with John Edwards, Her Majesty's Trade Commissioner for Ch…
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...