COVID-19, the Cloud, and Cloud Security
COVID-19, social distancing, work from home…these are our current realities. How we got here and how we get past it are beyond my areas of expertise. But here we are – now what?
For DisruptOps we decided early to mandate work from home. It was a very simple decision – employees and their families always come first. If working from home could help our families stay healthy and help our community at the same time, let’s do it.
Our concerns with this change were social: how do we effectively communicate, stay connected, and stay productive? We have great communication tools (Slack, Google Meet, Zoom), but previously we augmented these tools with social interactions in the office. I believe in the value of in-person interaction, but we needed to overcome this new limitation. We started with a few simple ideas:
- Keep our current schedule of meetings (daily standups, weekly meetings, etc.)
- Use the camera during these meetings
- Use voice / video over chat when appropriate – don’t chat for 30 minutes when a 3-minute conversation could accomplish the same thing
It’s a work in progress. We continue to learn and improve through this experience.
Interestingly, there were no technical issues even considered or discussed when we made this decision. In our case, working from home is functionally no different than working in the office. All our infrastructure is in the cloud. All our applications are SaaS. As long as everyone has Internet access, they have the ability to do everything from home they could accomplish from the office. While we never considered COVID-19 or any other pandemic when making these infrastructure decisions, the benefits in our current reality are clear.
What about cloud security?
I had a friend ask this week about how we are handling the security implications of working from home. His concern was access to the corporate network from insecure locations and home computers. These are real concerns, and I have seen a number of articles on the subject (you can just search: security risks of working from home). But these were not our primary concerns.
Once again, our cloud-only strategy has prepared us for this odd time in history. Our office network is no more or less a part of our security strategy than someone working at home or from an airport lounge. The idea that the castle walls of the corporate data center would protect us were knocked down when we traded them for the benefits of the cloud. That doesn’t mean we traded security for access. Instead we acknowledge that access comes with responsibility. We implemented multi-factor authentication, separation of development accounts from production accounts (with extremely limited access to production environments), active operational control of critical infrastructure, and more. We also made careful decisions about SaaS providers to insure they meet our needs – both functional and security.
The security principle of zero trust dictates that location (inside vs. outside the network) is not sufficient to grant access to a resource. Instead it is about the identity of the user (and perhaps machine, location, and more). In this model the data center provides little security benefit to the cloud – and carries many disadvantages.
Cloud computing is not a panacea – it comes with its own challenges. But in our current fast-evolving world of self-quarantine and work from home, the cloud (both IaaS and SaaS) has proven powerful, valuable, and resilient.