Cybersecurity will remain a top priority – in fact, perhaps the top priority – in cloud computing in the medium term. When data is sensitive or when laws require it, organizations turn to the sovereign cloud as part of the solution.
According to Nigel Pair, corporate director of the UNSW Institute for Cybersecurity, and also a non-executive director on several corporate boards, “the whole business case surrounding the sovereign cloud is that this information is so sensitive, so serious that it should be domiciled, say, from our perspective, in the Australian environment,” he said.
Along with the risk of nation states granting their sticky fingers the right to grab corporate data, there are also increasingly aggressive privacy regimes reflecting the concerns of consumers around the world.
“Germans don’t trust companies with data. Americans don’t trust the government with data and China wants good data,” said Robert Potter, co-founder and co-CEO of Internet 2.0 and adviser to the US State Department.
Their views are consistent with research from organizations such as Gartner.
“From a range of reasons at the macro, economic and societal level, which we call, in short, digital geopolitics, we are going to see some differences in terms of cloud computing towards 2025 and beyond towards 2030.”
He said that Europe provided an excellent example. “They have a strong desire to increase their digital sovereignty. So they want to be less dependent on foreign entities in terms of reliance on cloud computing, in fact, computing as a whole.
This indicates who governments trust to deliver their cloud and broader technology architecture, as companies like Huawei and Alibaba have already discovered.
According to Potter, “If your racks are in China, basically, if you can touch the box that belongs to you, that’s the general rule, isn’t it?”
Hacking is so much easier if you can physically get your hands on the box, he said.
Potter told iTnews: “In the cloud, the most dangerous way is through the infrastructure of the cloud provider itself. Take the Huawei national data centers of Papua New Guinea, for example, Huawei has given itself a universal access pass to the entire cloud infrastructure, so there’s not much you can do if the bad guy owns the metal.
“You want to think about where you put your cloud data, because the first question is the vendor question more than the actual configuration of your instances. The first thing is to not buy the wrong cloud. Because if the bad guy can just turn the knob at the bottom and dump all your stuff, then you have no hope.
The problem is potentially even worse than that, he suggested.
“The other element is that if that cloud provider is immature, the bad guy can exploit the cloud instance, to move laterally between multiple customers and drain them all at once. That’s what we’ve seen APT10 do. This is a task force from Tianjin China about an hour east of Beijing they work with the MSS (Ministry of State Security) they hit a bunch of customers just moving sideways infecting the entire cloud layer. They affect the infrastructure layer of the cloud, not the user layer.
However, the vast majority of cloud breaches are still carried out using compromised user credentials.
“It’s about getting all the basic cyber rights. Cloud outsourcing does not mean outsourcing the risk, you still own the risk. It’s a key principle that a lot of people don’t buy into, and they get into big trouble. Getting user controls, access controls is absolutely vital to doing this.
Organizations should treat the cloud environment as if it were part of the business and behave accordingly, Potter said: “[Just] as you would as if this server was sitting in your own office.
#Sovereign #cloud #features #frequently #future #plans