Expert opinion

Choosing the Securest IaaS

8 minutes

Sergey Zinkevich

Infrastructure as a Service (IaaS) has been really taking off with the modest early rise of about 20% followed by a head-spinning increase of more than 40% during the pandemic. Cloud security is, however, open to debate, even despite experts' arguments that there is no reason for concern.

With IaaS having been on the market for over ten years, providers have brushed up on data security in both selecting security products and streamlining operation. Sergey Zinkevich, Business Development Director, CROC Cloud Services, will share what to consider when choosing a cloud service provider, if the cloud platform security is a top priority.

The pandemic as an IaaS driver

Heavy IaaS buyers are companies from intensely competitive markets, such as B2C, in general, and banking, mobile app development, and retail, in particular. Today's consumers value service and usually stay with the company that lives up to their expectations offering the right service at the right moment. Failing the expectations means losing the competition. Yet, businesses going cloud enjoy greater flexibility allowing for a quick response to market fluctuations, rapid launch of new services, and swift customer segmentation for targeted offers. Transition to remote work in 2020, for example, boosted grocery shopping via mobile apps. According to MasterCard, when the pandemic's peak arrived, e-commerce made up roughly $1 out of every $5 spent on retail, up from about $1 out of every $7 spent in 2019. The bottom line is that the companies that rolled out the most user-friendly and efficient apps on the booming market of e-commerce and delivery services won the game. Those who started moving six to twelve months later, now have to work as hard as they can to catch up. It gets even harder, as computing equipment has been getting particularly scarce since 2021. Due to the chip shortage, deliveries have stretched from the standard eight to ten weeks to six months, and in the worst cases up to a year or more. Inevitably, digital transformation journeys of businesses bog down.

A dedicated cloud infrastructure empowers a company to test more new service offerings, because having no cost items associated with equipment, a business is free to flexibly manage cloud capacity either way. Meanwhile, if you own a data center, you have to develop your business cautiously, because launching a new service goes hand in hand with incurring serious capital expenditures. IaaS involves much lower risks, as everything comes down to operational expense swings.

"Various verticals have been showing an increasing interest in IaaS over the last few years," observes Sergey Zinkevich. "Even banks jumped in despite their conservative reputation for doubting clouds. Financial and credit institutions understand that IaaS allows them to be highly responsive to changes and get closer to customers, so they tend to host more apps in a cloud. Understandably, our banks still prefer on-premise servers, when it comes to bank secrecy."

Why not every company uses IaaS

Some companies face prevailing barriers, whether psychological or organizational, to the use of cloud. Large enterprises, for instance, investing heavily in infrastructure are reluctant to decide to abruptly switch to IaaS. Such companies usually need a powerful motivation. Management needs to be convinced that migrating to the cloud will significantly reduce infrastructure costs, free up skilled engineering staff to support a complex project instead of server infrastructure, or give the right level of flexibility. Both top management's skepticism about something new and corporate inertia could impede change: If everything works, why try something new, even if it's more cost-efficient?

"The degree of IaaS adoption usually depends on the organization size and tasks," explains Sergey Zinkevich. "Smaller companies usually express more enthusiasm in app cloud hosting, while corporate customers have systems that have been reliably operating for a long time on not-yet-obsolete hardware. In other words, there is a legacy that doesn't make much sense with IaaS on a short- or mid-term horizon. Besides, cloud-based licensing can be a challenge for certain software, Oracle DBMS for example. Luckily, such apps account for merely 5-15%. According to CROC Cloud Services, 25-35% of a large company's apps ensure customer communication and can always be safely migrated to a cloud. Though, it's worth discussing internally the pros and cons of whether to migrate the remaining 50-60% of apps."

What infrastructure availability means

A corporate customer may have 100+ information systems of various importance. The more business operation depends on a system, the more critical this system is to the business. For example, a cash register system (POS) is critical to a retail chain, because if it fails, shoppers won't be able to pay for purchases. The retailer will, consequently, suffer heavy direct losses and long-lasting reputational damage, which may be even worse than a few dollars passing by.

Another example is a failure in a logistics system of a carrier company. The company uses the system to manage its truck fleet schedule, the time of goods loading and delivery to a destination. A truck is supposed to arrive for loading at four in the morning to make it out of Moscow through the Moscow Ring Road before jams. If the logistics system is down or slow, there is a risk of truck schedule overrun, which may disrupt the entire supply chain and inflict direct losses on the company and its partners.

Designing IaaS security strategy

That having been said, it's clear how important availability and performance of mission-critical systems are to businesses and how picky companies are about infrastructure models and products. Moreover, business is meticulous about data security. Ensuring secure storage, preventing breaches, and protecting data against adversaries is of great concern to company executives.

Worrying about information confidentiality often leads top management to believe that keeping the system close at hand, running on their own server is for the better. However, data sprawl demands a sophisticated storage infrastructure, that's number one. Number two, maintaining your own data center requires a tremendous amount of effort, from choosing where to install server racks and purchasing expensive equipment to ensuring uninterrupted power supply, air conditioning, and fire extinguishing. Creating and operating the infrastructure you actually need gets more and more difficult (computing equipment grows up in price and chip shortage causes six to twelve months delivery delays), so the cloud-services-are-a-good-idea team welcomes more new members. Naturally, every cloud newcomer asks: "How to make sure that the provider has protected the cloud infrastructure as reliably as possible?"

There are some organizational and technical measures that any provider can take to guarantee virtually 100% information security. We mean only the environment that the service provider operates and the responsibility of its personnel. However, according to experience and studies by security experts, 90% of all cloud leaks are caused by service users, particularly due to weak passwords, poor discipline, refusal to mask data, etc.

If reputation and customers' business matter to the provider, its data center operation is strictly regulated, and customers can always view underlying documents (subject to NDA, of course). For example, customers can make sure that the regulations expressly define role-based access to data center resources and that an account of a former employee is promptly removed from Active Directory.

In general, information security is a well-regulated domain, so the IaaS provider is obliged to deliver appropriate licenses and certifications proving that its service complies with all regulations and best practices. One of the essential standards followed by providers is ISO 27001. It stipulates the requirements for information security management systems and accumulates the key information security management practices. Another important standard is PCI DSS. It is designed to protect the processing and describes all levels of payment infrastructure protection, from physical to application security, but it actually works for any organization.

Just so you know, the ISO 27001 certificate is valid for three years and PCI DSS one is valid for one year, which means providers have to undergo re-certification audits respectively. Furthermore, a company must pass at least two penetration tests during that year, i.e. invite white hat hackers to test the cloud infrastructure's cybersecurity.

"Given such strict regulations, excellent information security is a must for IaaS providers, otherwise they will drown in lawsuits from customers with compromised data," stresses Sergey Zinkevich. "This means that an off-premise cloud has a better security posture than any on-premise infrastructure. This would explain why more and more companies migrate everything to clouds. For example, Goldman Sachs, one of the world's largest investment banks, moved its infrastructure to AWS."

Storing personal data in an off-site environment used to be challenging. It was difficult to certify certain types of hypervisors (once it was impossible at all), therefore only data types 3 and 4 were allowed to be stored in a public cloud, while personal data valued most by business (types 1 and 2, which include all personal, medical, and biometric information) had to be migrated to dedicated equipment in a data center. This inconvenience became history: as soon as certification extended to cover all cloud infrastructure levels in compliance with the requirements imposed by the Russian Federal Service for Technical and Export Control, such restrictions were lifted. Thus, since 2021, a lot of major cloud providers have undergone certification audits to confirm top-class security of their platforms and facilitate cloud-based processing of personal data for customers.

Allocating responsibilities

A RACI matrix can be easily integrated into an agreement to clarify and define roles and responsibilities of both an IaaS provider and customer. The matrix also outlines actions needed in certain situations, the side accountable for a particular problem, areas requiring work, etc. For example, it is expressly specified that the provider shall be responsible for platform availability and shall inform the customer about any problems.

"Such arrangements are typical for infrastructure maintenance," comments Sergey Zinkevich. "If it's a pure IaaS, then everything is as clear as day. Life is certainly more complicated than even the most detailed RACI matrix and is full of unpredictable events, but playing the blame game will take you nowhere. Effective teamwork is a win-win strategy for the service provider and the customer."

31 january 2022
Managed Services vs PaaS: Pros and Cons
The cloud market is trending towards simplifying solutions for end users. The most compelling evidence is PaaS, estimated to experience a 20-30% revenue growth over the past year. However, it's not a panacea at the moment.
5 minutes
28 december 2021
Why Do Companies Use Clouds? Evolution of customer needs over the past six months

The end of the year is the time to sum everything up, so we decided to analyze the most remarkable trends of the last two quarters. You might wonder "why this very period but not the whole year?" Here's the answer: starting with the second half of 2021, the worsening chip crisis has extended to almost all the economy sectors. Our research was aimed at evaluating the impact of the chip shortage on cloud business.

4 minutes
17 december 2021
How Business can Benefit from Microservices

When competition intensifies, time-to-market (TTM) begins to dominate. TTM is the time it takes to make any product or improvement available for sale. Actually, it can also be a feature that accelerates page loading, improves website and app usability, or increases cross-selling.

5 minutes
28 june 2021
The Economic Feasibility of Clouds: Factors Not to Be Missed

Despite the Russian cloud market growing by more than 20% annually and cloud services successfully entering almost all economic sectors, users still have different opinions on whether it pays to opt for HaaS or outsourcing.

9 minutes
26 may 2021
How to Move to New Data Center and Avoid Losing Data?
Cloud services gain in popularity every year. In our estimates, some 70% of large Russian companies have used the cloud or other services based on commercial data centers, at least once. This consumption model has always been good for rapid data transfer from local to the provider’s infrastructure, enabling similarly fast service termination if it is not needed anymore.
4 minutes