Securing the cloud
What are greatest concerns for utility companies considering migration to the cloud? As with other industries, it’s the vulnerability of cloud-based applications and data privacy. But for an industry that holds enormous amounts of customer AMI data, mitigating these issues requires a very specific asset: a secure and compliant enterprise-grade virtual data center in the cloud.
For this to happen, these organizations must first address the following:
- How can we secure the grid network to avoid outside hacking?
- How can we leverage the cloud to increase agility and innovation?
- How can we protect customer data in a world of third-party sharing?
- What best practices can we learn from other critical infrastructure industries?
While addressing these issues goes far beyond scope of this blog, I will attempt to shed some light on where to start and how to go about tackling security in the age of cloud.
The business model
One of the first issues to determine is which applications to migrate. While moving everything to the cloud has proven feasible for some, it’s more prudent for applications constrained by the limitations of a physical data center or those with no need to connect to one. Then, there’s the economical consideration of whether migrating a particular app is financially viable.
A good example is an application that utilizes extreme amounts of resources for short periods of time. Rather than investing in infrastructure to support 100% uptime, the cloud offers vast compute and storage capabilities, combined with the ability to consume resources for the precise time required.
A more highly-trained workforce
Cloud migration opens upskilling opportunities for both potential and current employees. Outside the organization, there will be a large number of potential developers, operations and security personnel attracted to the agility and flexibility when physical boundaries of data centres are removed – increasing the pool of potential talent. Within the organization, employees can use the opportunity to expand their skills into domain-specific tools and practices.
Just as a single cloud service provider provides an enormous collection of services, multiple clouds make things even more complicated, creating the need for solid governance to ensure security, compliance and auditability. For those utility companies who are just embarking on this journey, ensuring such considerations are embedded into their strategy will be pivotal to their success.
So before migrating the first workload, an assessment must be made on how to best govern the platform. Omitting this step can lead to significant issues, such as building infrastructure and applications that lack alignment with the organization’s standards for security, operations and cost management. Keep in mind that after the fact, it's difficult to go back or introduce a new governance model.
In contrast, putting a governance model in place at the right time allows for the creation of an enforceable policy, as well as the ability to determine which aspects of the platform can be manipulated by users and through automation. And just as data is valuable to an organization, so too is metadata to extracting maximum value from cloud infrastructure, as well as to driving the automation that supports the governance model.
Every cloud service provider should be viewed as an independent platform with similar architectural goals and different implementations. Adopting this perspective allows an across-the-board security approach that supports the specific organization’s needs. An example is ensuring that the Amazon Web Services (AWS) platform offers the same security controls as the Azure or Google Cloud Platform (GCP).
With regard to compliance, as opposed to legacy on-premises data centers, which require manual installation of hardware and software, virtualization supports the use of Infrastructure as code and automation to deliver the controls to different cloud platforms, while policy can be set directly within the platform code in alignment with the organization’s needs.
Beyond security, cost management goals can be achieved by setting upper limits on application team expenditures or by implementing operational needs via code. Then, when coding the platform, DevOps and CI/CD can be used to deliver a truly innovative and flexible cloud platform that takes a specific security approach and maintains company-wide organizational goals.
With so few physical components, a major upside to virtualization is simplification. Furthermore, capacity is virtually infinite. The result for operations teams is the ability to focus their resources on the application teams and platform services.
Operational goals can also be “weaved” into the platform to provide greater agility. For example, backups can be enabled for all workloads by default and enforced with policy, while alerts can be introduced to the platform code and presented on a configurable dashboard. An additional advantage is the ability to implement security controls on popular cybersecurity frameworks.
Before the organization can fully realize the operational advantages of cloud, remnants of the traditional operating model – i.e., a central IT responsible for implementing policy and services, and providing support for application teams – must be revisited.
Ideally, a Cloud Center of Excellence (CCoE) should be established. Advantages include allowing freedom for application teams to experiment and innovate, while implementing security guardrails to minimize risk exposure. The CCoE can also provide logging and monitoring for security control purposes.
While the above approaches are all imperative to reaping the rewards of virtualization, the benefits cannot be fully realized unless they’re implemented in collaboration with a strategic partner who has alliances with the cloud hyperscalers on one hand, and a strong security offering, data mining products and billing presentment tools on the other. If ultimately adopted across the industry, such an approach would strongly position the utilities sector as a cloud data powerhouse, benefiting not only themselves, but the customers they strive to serve.