The US Department of Defence’s decision last year to award Microsoft its US$10bn JEDI (Joint Enterprise Defense Infrastructure) contract for cloud services has created a huge stir – but for all the wrong reasons!
The most recent headlines have all focused on AWS filing a legal challenge disputing the decision. However, they should be about how the JEDI deal is a real game changer for public cloud services.
When the JEDI contract first came up for tender, it was assumed that AWS was the only public cloud provider that had the appropriate security level and capabilities to win the contract. AWS was already providing cloud computing for the CIA including workloads up to Impact Level 6 (IL6), the security requirement for handling the “Secret” level of classified material on the cloud. However, by winning the contract, Microsoft was able to demonstrate that they too can provide this level of security.
The significance is that with the two biggest providers demonstrating their capabilities, there is no longer a security barrier for any organisation to adopt public cloud services. That’s particularly relevant for government or financial services organisations that might have a higher risk threshold than most.
That said, there is an important caveat: there is no such thing as ‘secure’ or ‘insecure’ public cloud.
Securing Your Public Cloud Solution
Security is determined by the whole solution that’s delivered based on the public cloud infrastructure, which was the reason why Microsoft was chosen over AWS. Public cloud is just the right container, it’s not secure by default; you need to have the right solution and security measures in place as well.
At Interactive, these are the elements that are critical in determining the security of a public cloud solution:
1. Architecture: ensuring there is a logical separation of components and secure communication between these components, using encryption overlayed with a zoning model to define and separate different subjects and objects based on their security requirements.
2. Data Life Cycle Management: ensuring that at all times and at all points during the process the data you are using is secure. This encompasses data creation, storage, usage, sharing, archiving and disposal. It also includes protection against the risk of data leakage or misuse.
3. Perimeter Security: ensuring strong intrusion detection and protection systems (IDS/IPS) and advanced threat protection (ATP).
4. Secure Operations and Governance: working with secure operational processes, strong password management, and the least privilege principle including data masking where appropriate (limiting a user’s access rights to the bare minimum needed to perform the work).
5. Certification and Compliance: adherence to best security and risk management practices as suggested by key organisations including ISO, NIST, HIPAA, FedRAMP and GDPR.
Security is increasingly becoming top of mind for our customers due to the evolving threat landscape, increased compliance requirements plus the financial and reputational damage that a data breach can inflict.
Common feedback I receive from customers is that it is challenging to achieve very high levels of security for their own data centres or server infrastructure. This sentiment aligns with a recent comment by Sean Roche, CIA’s Associate Deputy Director of Digital Innovation when referring to AWS: “the cloud on its weakest day is more secure than a client-server solution.”
Nervousness around public cloud security is dissipating – and rightly so – but, at the risk of sounding too much like Yoda – ask not if public cloud is secure but instead ask if your public cloud solution is secure.
If you’d like to learn more about our Cloud and Managed Services or how we help businesses secure their data in the cloud click here or call us on 1300 584 644