Building cloud infrastructure to weather any storm
Dynamic Story | 2022
The scale—and importance—of enterprise workloads being migrated to the cloud is rapidly rising. However, failing to factor security and resilience into modernisation projects from day one is raising costs and risks.
Public cloud’s share of enterprise workload hosting is rising fast...
In just three years, public cloud workloads have nearly doubled.
…yet security and resiliency is still an afterthought for many organisations.
The business imperative for agile, scalable operations is pushing more infrastructure onto the cloud, but these modernisation efforts dramatically increase the importance of secure, resilient infrastructure.
Only 45% of CISOs say security is being built into these projects from the outset.
Best practice #1: Identify your crown jewels
Large, complex organisations often have vast IT workloads. Treating all these workloads the same would mean:
When a major bank approached Kyndryl to help develop a system to protect and restore 70,000 workloads, we reduced that number to less than a thousand—the crown jewels that could harm the bank’s reputation or business continuity if compromised.
Identify your organisation’s crown jewels and prioritise their protection to boost resilience.
Best practice #2: Bring security to the forefront of cloud migration
Too often, security only gets addressed once migration efforts are underway—which can cost your organisation time and money.
Undertaking vulnerability and network assessments during your migration planning phase can help combat this risk, as well as increase functionality and speed modernisation.
Too often, security and resilience are lumped together—but the distinction is vital.
While research shows that cybersecurity risk management in Australian financial services firms is improving, cyber resilience still lags behind those firms’ own benchmarks.
Security is an enterprise’s ability to prevent or reduce the risk of a data breach or malicious activity.
Resilience is how able that enterprise is to respond and recover once damage has occurred.
Best practice #4: Strengthen your disaster recovery plans
Disaster recovery plans are of little use if they can’t be executed effectively under the pressure of a major outage. Reduce the need to have all key personnel available and executing complex procedures to minimise this risk.
One large bank brought us a disaster recovery plan that was 220 steps long and lived on a spreadsheet. We created an end-to-end automated recovery engine that performs the necessary steps for a complete recovery, like shutting down databases, starting workloads, configuring the network, and bringing up systems.
Recovery point objective (RPO) is a measure of how old your most recent backup must be in order to enable normal operations to resume in the event of system failure or data loss.
Recovery time objective (RTO) is the time an application, system, or process can be down before it causes significant damage to the business—plus the time spent restoring the application and its data.
Given that cyber-attackers will often strive to encrypt backups as well, the only way to guarantee an RPO is to use WORM storage: write once, ready many. Even with WORM storage, risks still remain. After a recent attack, it took a large US credit bureau seven days to work through its WORM backups to find the most recent uncorrupted version.
Pressure on enterprises to deploy agile, scalable infrastructure has never been higher— but neither have the risks from failing to consider and plan for security and resilience from the outset.