January 22, 2019

Trust but verify – cloud business demands new thinking

Timo Ahomäki

Head of Portfolio Development, Tieto Security Services

Modern business is based on the cloud, which in turn consists of ecosystems of several different parties. This kind of joint effort would not be possible without a certain level of trust between the parties. In security, trust is now the most valuable currency.

The infamous saying goes that “the cloud is just someone else’s computer”. While this is funnyand sort of true, cloud-based business should essentially be seen as an ecosystem. In this collaboration network, each party supplies some resources. Everyone does the part where they are the best. 

For example, an organization might use office software, collaboration tools, storage space, and virtual server capacity all from different vendors. 

Even a huge conglomerate running its own data centers still needs someone else to provide electricity and network installations, as well as cleaning and maintenance services. 

In a perfect world you’d have a detailed plan for the cloud transition, but in reality, the company’s assets move to the public cloud over time and piece by piece. And it’s just too easy to overlook security in this caseThe most important component of security is clear visibility to all your assets and services – when the transition to the cloud happens piecemeal, you lose much of the all-important visibility. 

Still suspicious? Get a third-party assurance 

In a trust network the value of each participant depends on the level of trust the others place on them. 

This forces us to think about security in a new way. You have to accept that you can’t be in control of all the nitty-gritty details of your environment. When you choose e.g. a cloud provider, you also place trust on their entire supply chain. It serves to be a paranoid optimist here. 

For security, this means that there must be a system where each party secures their own parts to a degree that creates trust in the other parties. It is necessary to have a solid agreement about where the boundaries of each party’s trust domainlie 

Even if you are trustful, it doesn’t mean you should be gullible. Trust can also be established via third-party audits. If you feel bad about not having access to the provider’s inner workings, you can have a qualified assurance from an auditor.  

The old Russian proverb “trust but verify” holds true also in a modern hybrid cloud ecosystem. 

Interested in reading more about working in a hybrid cloud environment? Download our white paper!

Stay up-to-date

Get all the latest blogs sent you now!