Let’s review some of the important feature sets typically found in a cloud solutions provider.
First, the cloud provider should almost always store or process your data in multiple locations, aka data centers. These data centers provide the physical elements for connecting all of your data, anywhere. Data access will generally include cloud apps, databases and hundreds to thousands of both on-prem and off-prem systems, using “prebuilt” connectors that integrate the solutions handling your data and allow it to be processed through established services.
A cloud provider should be able to effectively leverage your existing infrastructure with an ability to query or analyze your data with features including replication, movement/migration and “rework.”
‘AI-Ready’ Data
Given the global emphasis on artificial intelligence, one would almost expect this service-level statement—“all our data is AI-ready”—given the levels of artificial intelligence that the marketplace continually promotes, irrespective of the reference or workplace. Fig. 1 depicts a workflow inside a cloud that could aid in preparing data for AI-ready states or actions—ideas shown in Fig. 2 generally feed back into systems, as shown in Fig. 1.
AI-ready data means that your information has been systematically prepared, evaluated, managed and governed to meet the needs of AI projects. With financial-related data, expectations are that transaction records are properly prepared before that data is fed into an AI model.
Assume certain checks that your (cloud) services provider can include or package can identify patterns (or repetitive series of characters that could flag harmful routines that might represent fraudulent transactions, loops or means to generate a code sequence that would alter, falsify or get a back door to an unwanted action).
In retail applications, your cloud provider might offer “AI prep” capabilities and readiness for applications such as “demand forecasting,” which uses historical data on sales volumes and costs, as well as comparative product details that can be shared across hybrid and multiple cloud providers located regionally, globally or both.
For organizations (like original equipment manufacturers) storing preventative or predictive maintenance for industrial purposes such as aircraft maintenance, the cloud services provider should be capable of tracking and cataloging short-term and long-term historical data, plus real-time data derived from sensors and performance variables. Applications for the cloud-storage systems would leverage and train AI models to accurately predict equipment repair times, schedules and relative downtime.
Sometimes referred to as a “digital vault,” immutable storage is a paradigm where information, once written, cannot be modified, overwritten or deleted for a specified retention period. It is also referred to as WORM (write-once, read-many) storage or object-locked storage. The opposite term is “mutable storage,” which can be edited, replaced, modified or destroyed at any time.
Unlike mutable values, an immutable value or content cannot be changed without creating an entirely new value. For example, in JavaScript, primitive values are immutable—once a primitive value is created, it cannot be changed, although the variable it holds may be reassigned to another value.
Supply-Chain Security
In an “open source” age, malicious activities are common and almost expected in nearly every software and data system—and especially in cloud services. In e-commerce services (such as eBay or Etsy), users place assurance expectations on their vendor’s services, who in turn rely on the respective e-commerce company to “pre-protect” the data and services of their customers and clients, using industry best practices and some of the services listed in the following:
- For an in-depth understanding of how certain software is protected, Software Composition Analysis (SCA) emphasizes control over inventory, dependency mapping via Common Vulnerabilities and Exposure (CVE) and license tracking, as well as enforcement policies in pull requests (PR) and continuous integration (CI) before release.
Note that SCA also stands for Strong Customer Authentication, a regulatory requirement under the European Union’s Revised Payment Services Directive (PSD2), designed to reduce fraud in online payments. Strong Customer Authentication requires at least two of three elements—knowledge (password), possession (phone) or inherence (fingerprint)—for payment validation.
- CVE is a standardized, international dictionary of publicly known cybersecurity vulnerabilities in software and hardware. Managed by the MITRE Corp. with U.S. government support, it provides a unique ID (e.g., CVE-2024-1234) for tracking flaws. It facilitates fast, secure communication about threats and feeds the National Vulnerability Database. There are currently over 330,000 CVE Records accessible via download or keyword search.
Securing Against Ransomware
A “zero-trust” architecture does not implicitly mean “don’t trust anything,” but it does signify an architecture that is harder to breach and is an upgrade to your access control and much more. Zero-trust often demands multifactor authentication at all access points and insists that all connected devices are regularly updated and well-maintained.
Hybrid Cloud Vulnerability
In today’s hybrid cloud world, enterprises struggle to keep track of the slew of certificates managed by different siloed teams and tools. The lack of a centralized view of health increases the risk of application disruptions due to expired certificates. In the AI and open-source era, vulnerabilities in open-source dependencies expose applications leading to unwanted attacks.
Ignoring production usage of open-source packages can lead to breaches and disruptions. Malicious bad guys often weaponize disclosed vulnerabilities quickly, shrinking your remediation window at each cloud source transition (e.g., in hybrid or multicloud). You’ll need regular, thorough monitoring to be sure your access control is tight. And you must improve management by limiting access to individual components in the network.
A Flexible and Forward-Thinking Approach
There’s segmentation, and then there’s ZTS (“Zero Trust Segmentation”). You can be certain of some things—the big ones include:
- Cyberattacks are unavoidable: Statistics show this to be true, yet for many organizations there’s a surprising lack of preparedness.
- Cybersecurity mindsets are often outdated: Even with continued investment in perimeter controls, organizations still get breached. When you recognize and accept that breaches are inevitable and start to assume breach, you can focus on isolating them and stopping their spread. ZTS is by far the fastest and easiest way to do that.
ZTS is a flexible and forward-thinking approach that is “AE strengthened” by default. “AE strengthened” refers to key applications, including structural health monitoring using Acoustic Emission (AE) monitoring or, contextually, the bolstering of organizational or technical capabilities (e.g., AE engineer, Advanced Energy—refer to Fig. 2 for example details).
Who’s Responsible?
Essentially, it is the duty of the cloud service provider and end user management to ensure appropriate safety factors are in place and routinely updated before opening the door to widespread public use of cloud-service capabilities. In a future discussion, we’ll look at cloud egress fees and egress payments, an area that’s becoming a bigger part of modern cloud operations.
