April 21, 2020

Secure Cloud Migration in Public Sector Organizations

Over the past few years, many organizations have migrated a considerable part of their applications and data to the public cloud. The advantages of the cloud are evident, it enables a much higher flexibility compared to the local data center, resource allocation capability allowing the required flexible growth or decrease, and supply of rapid Time to Market.

However, cloud migration does not imply there is no need to cope with cyber risks, especially at public sector organizations, which are currently required to change information security models if they wish to benefit from the cloud’s agility and efficiency while protecting sensitive information from threats.

Last year, Comm-IT, one of Israel’s leading advanced software development services house, has widened the scope of its managed multi-cloud services and launched the Cloud Pro’Active service array. This array, based on a unique methodology, offers monitoring and control services (NOC), cyber monitoring (SOC), backup, as well as services for database support, disaster recovery (DR, DevOps, FinOps), etc.

Lior Bialik, Comm-IT’s Cloud Solutions VP and Dima Tatur, the company’s Head of Cyber and Information Security Dept.,elaborate on the unique security challenges in public sector organizations,and how should these organizations manage their cloud migration.

What are the major concerns regarding cloud migration?

Bialik: There are two main concerns. First, constituting a public platform, the cloud is an external shared platform that is not under the complete control of the organization’s internal team. Secondly, organizations tend to preserve their internal information security policy and extend it also in the cloud.

However, it is important to note that the leading cloud platforms conform the highest information security standards, including standardization and regulations such as HIPAA at the medical sector, PCI at the financial sector, and high-level standards as the ISO27001, SOC2, etc. So in many cases,the cloud platform conforms to higher standards than those of the organization,sparing the effort involved in achieving the authorization required for this infrastructure layer.

Tatur: Altogether, the organization is still required to supply the security solution required for the application or system that it is establishing in the cloud, and in this layer it is required to apply the same information security principles it would have applied in-house, while enjoying the flexibility and information security advantages accessible in the cloud as per requirement.

How can an adequate information security level be achieved at the public cloud?

Tatur: If you suit the cloud solutions to the required resiliency level,a good, secure, and quality solution can certainly be provided. The solution should include several elements: hardening, information encryption in transit,information encryption at rest, penetration testing, and an information security architecture that would meet all required standardization, including privacy protection regulations, such as the GDPR.

What does Comm-IT offer within the framework of its services for public organizations interested in migrating to the public cloud?

Bialik: As part of the Cloud Pro’Active managed services, we offer the largest variety of the Production as a Service in Israel under one roof, with up to 200 experts operating around the clock at the support circles deployed in various fields. The extended services array supplies 24/7 support, control, command,and extensive management services to all of the business activities of the organizations over the market leading cloud platforms.

We work in accordance with the ITIL methodology, which includes control over the service quality and the implementation of preventive processes regarding failures, operating in accordance with the strictest regulations. Our SOC MSSP service center enables organizations to manage, monitor and command cyber events 24/7, every day.

Tatur: We work with a multi-platform SIEM - Security Information and Event Management - that collects and analyzes security events and indications from several platforms used by the customer. The system provides information and alerts based on Machine Learning. At the same time, our analysts operate with regard to the cyber events, embed the best practices for the customers, providing insights and recommendations. As routine, we execute proactive processes in order to maintain and preserve the hardening and standardization compliance required from the customer (SecOPs asa Service).

Which innovative technologies do you apply as part of your services?

Tatur: We have recently launched a new service of a ‘virtual hacker’, based on Pcysys’ automatic Penetration Testing solution. The service is available with the support of our SOC MSSP experts, offering organizations recommendations and insights for preparing the highest level information security program.

Bialik: The new automatic penetration testing service allows to check hardening, apply the findings and integrate them as a prolonged service. The service is granted according to the customer’s demand, enabling the continuous resilience testing on the basis of a frequency pre-defined at the organization’s information security policy.

Read the full interviewDownload Now