Cybersecurity remains a top priority—indeed, perhaps the top priority—in cloud computing for the median term. When data is sensitive or where laws require it, organizations are looking to sovereign cloud as part of the solution.
According to Nigel Pair, enterprise director, UNSW Institute for Cybersecurity, and also a non-executive director on a number of boards, “The whole business case around sovereign cloud is that this information is so sensitive, so serious that it should be domiciled. , say, in our perspective, in the Australian environment,” he said.
In addition to the risk of nation-states giving their sticky fingers the right to grab corporate data, there are also increasingly aggressive privacy regimes that reflect the concerns of consumers around the world.
“Germans do not trust companies with data. Americans don’t trust the government with data and China wants the data right,” said Robert Potter, co-founder and co-CEO at Internet 2.0 and an adviser to the US Department of State.
Their views are consistent with research from organizations such as Gartner.
“For a number of macro, economic and societal reasons, which we call, in summary, digital geopolitics, we will see some differences in terms of cloud computing in 2025 and beyond towards 2030.”
He said that Europe offers a great example. “They have a strong desire to increase their digital sovereignty. So they want to be less dependent on foreign entities in terms of their dependence on cloud computing, in fact, computing in general.
That informs who governments trust to provide their cloud and broader technology architecture, as companies like Huawei and Alibaba have already discovered.
According to Potter, “If your racks are in China, basically, if you can touch the box you own them, the general rule of thumb is, right?”
Hacking is so much easier if you can physically get the box, he said.
Potter told iTnews: “In the cloud, the most dangerous path is at the infrastructure level of the cloud provider itself. Take Huawei’s national data centers in Papua New Guinea, for example, Huawei has given itself a universal access pass to the entire cloud infrastructure, so it not much you can do when the bad guy owns the metal.
“You want to think about where you put your cloud data, because the first question is the provider question more than the actual setup of your instances. The first thing is, don’t buy the wrong cloud. Because if the bad guy can just turn the knob at the bottom and empty all your things, then you have no hope.
The problem is potentially even worse than that, he suggested.
“The other component is, if that cloud provider is immature, the bad guy can exploit the cloud instance to move laterally across multiple clients and drain them all at the same time. That’s what we’ve seen APT10 do. They’re an operational group from Tianjin in China, about an hour east of Beijing, they work with the MSS (Ministry of State Security), they hit a bunch of clients by simply moving laterally through the entire cloud layer infected. They hit the infrastructure layer of the cloud, not the user layer.
However, the vast majority of cloud breaches are still done with compromised user credentials.
“It’s a case of getting every basic cyber right. Outsourcing cloud doesn’t mean outsourcing risk, you still have the risk. That’s a key principle that a lot of people don’t follow, and they get into big trouble. D ‘Getting user control, access control is absolutely vital to getting it done.
Organizations must treat the cloud environment as part of the enterprise, and behave accordingly, said Potter, “[Just] as you would pretend that server was sitting in your own office.”