The rapid acceleration in the adoption of cloud services has increased the focus on cyber security. While data protection and privacy have always been key concerns in the oil and gas industry, this has frequently been achieved by isolating networks and strengthening perimeter defences. However, the weaknesses in this approach have been demonstrated, and it has masked poor practices in many areas. This paper will argue that the advent of cloud technology should not be regarded as a further challenge to security, but an opportunity to dramatically revitalise and improve a company's defences.
We will present a systematic overview of the kind of hybrid architecture that is increasingly common in many oil and gas companies, with on-premises and cloud systems. We will examine the key areas of authentication and authorisation and examine how these must evolve to address the cloud. We will also look at key pain points, like systems integration and legacy platforms, and examine how these are accommodated in a cloud-first architecture.
In examining the issues involved, we will see that cloud does not really introduce new security challenges but tends to highlight problems with existing practices. Historic failures to implement federated identity, or to secure and patch individual systems, or to allow unencrypted and largely insecure SQL access to corporate databases, represent a clear and present danger. By returning the focus to system security, and moving on the conversation from perimeter defence, cloud is providing a valuable service. Interestingly, this new technology also provides a range of answers, as we'll discuss, but it cannot be a universal panacea.
While adoption grows daily, cloud is still relatively novel to many companies. The lessons learned across multiple large-scale implementations of cloud technology in production data management allows us to derive general, vendor-independent guidance on cloud architectures, cyber security issues that must be addressed, and best practices that should be followed.