The concept of Zero Trust is often explained with the analogy of a castle. Surprisingly, going back to the medieval age can also explain some other cybersecurity concepts. Cloud Security, for example. Not only that, there are actually two kinds of cloud security, and both can be explained using the analogy of a medieval city or village. Let’s do the time warp (again).
First, though, the famous quote that needs to stand at the beginning of every explanation of something related with the cloud. “It’s not a cloud, it’s just someone else’s computer”. Obviously, in this context this quote is completely out of context.
Secondly, I mentioned that there are two kinds of cloud security. Both can be defined by very different questions. The first one – to take the quote from above – by the question: “Why should someone else’s computer be more secure than mine?” Let’s answer this question first, shall we? Hence – imagine a medieval city.
Until the invention of firearms, more specifically canons, big walls with moats and drawbridges were used to protect cities and villages from intruders. And rightly so. The walls could be manned with archers for defense, the towers built into the corners of the wall provided a good lookout so attackers could be spotted early. Compare that to individual houses, which usually don’t have any of these measures – or only a few and inferior at that, too.
Ensuring Data Protection
Transfer that concept to the cloud and you will see the similarities immediately. Of course, a city full of houses is a much more attractive target than a single house, therefore drawing more attackers. Nevertheless, the fee you and every other houseowner pays to the cloud provider will, figuratively speaking, buy all these archers, weapons and walls. Something you cannot expect to afford, let alone staff, if you’re just defending your house.
The second usage of the term cloud security usually refers to ensuring the safety of the data to the cloud. Actually, a solution to ensure this was usually called a “cloud security access broker (CASB)”, but apparently this was too much of a niche, which is why Gartner coined a new term “SASE” which gives companies providing such a solution the feeling they’re not operating in a small niche. Maybe the true background was that they could not find enough CASBs to justify an entire market, so they pulled VPN and network security providers into it, you never know.
In any case, the concept can also be explained by the medieval city. We’ve just established that the cloud provider can be compared to a medieval city. The problem is that employees still need to enter that medieval city, and as a company you want to make sure that they are not carrying something malicious into the city or something secret out of it. Hence, you have guards searching the employees at the entrance of the cloud (CASBs), plus you ensure that employees only have access to certain areas of the city (Zero Trust). In addition, your streets are secured by more guards (network security) and only specific streets can be used to enter the city in the first place (VPN). And even when an employee owns a house in the city (e.g. they also have a dropbox account, as the company they work for does), that “cloud security” ensures that they would have to leave the city first before they can enter their own house or at least are guarded on the way from the company mansion to their own house.
It’s not a cloud
As you can see, the medieval city goes a long way explaining cloud security. Even beyond security, it can explain different “variants” of the cloud. You might have heard of the distinction between a public and a private cloud for example. Don’t know what that is? Well, a public cloud in this scenario is where one provider builds (and owns) all the houses, which are standardized, i.e. every house looks essentially the same. As a customer (or tenant) of the house, you don’t really need to take care of anything, just live in it. In a private cloud, you will “just” get a place in the city and essentially build your house yourself. You still have all the benefits of the city (walls, public services, etc.), though.
I’m sure there are other cloud concepts which could be mapped to the analogy of that medieval city. In any case, if you do have to explain cloud security to anyone, be that during a presentation or at a cocktail party, you can start with the quote: “It’s not a cloud, it’s a medieval city.”
Patrick Boch has been working in the IT industry since 1999. He has been dealing with the topic of cybersecurity for several years now, with a focus on SAP and ERP security.
In recent years, Patrick Boch has published various books and articles as an expert, especially on the subject of SAP security. With his extensive knowledge and experience in the areas of SAP compliance and security, Patrick Boch has served as product manager for several companies in the IT security sector since 2013. Patrick is Co-Founder and Editor of Cyber Protection Magazine.