Learning To Trust Cloud Security
Cloud-centric computing is inevitable, so you need to face your concerns and be realistic about risks.
After more than 35 years running IT for large enterprises, I've lived through various IT technology shifts: mainframe, client/server, RISC, CISC, etc. But early on in the development of the cloud, I recognized that the shift to becoming a cloud-enabled business is different.
In enterprise IT, cloud security remains a topic of contention. Many IT and security leaders fear that a move to the cloud could cause problems, such as losing control of sensitive data. While concerns about risk are understandable and need to be addressed, they're often misplaced.
It's time businesses are honest with themselves about in-house capabilities before dismissing security in the cloud. Traditional enterprise security is based on perimeter controls — a model that was designed for a world where all data, users, devices, and applications operated within the perimeter and within the security controls. But as today's users blur the lines between activity inside and outside the perimeter, that model falls short because the perimeter is too big. I'd even say that in any mid- to large-size enterprise, there are more devices, users, and entry/exit points than the company knows about.
Cloud-centric computing is inevitable because the network, not your network, is just a conduit to allow access from trusted requestors to trusted resources. You will provide resources to those that you trust, when they need them and where they need them. The perimeter that will need protecting will be very small and contain services and properties that are critical to your business but not users. Users consume resources but are never on the cloud provider's core network. If they were, their perimeter could not be protected. Asyou evaluate security in the cloud, be realistic about the risks because deferring the transition to cloud services is itself a risky proposition.
Your Business Already Relies on the Cloud
What kinds of companies are leveraging the cloud today? Yours, for one. Even if you don't officially sanction any cloud services or applications, your employees are using them. So are your customers, suppliers, and business partners. Services that support file sharing, online collaboration, storage, and other daily activities are all hosted in the cloud. There's no getting around the fact that data is already being generated and shared there; business transactions are also happening and new business models are emerging.
The primary drivers for cloud adoption are speed, agility, and cost containment. For me, speed is the new currency. Business won't wait for anyone or anything, and IT is no exception. Because of lingering security concerns around control and reconfiguration, many businesses still rely on the private cloud model or use a hybrid approach that retains mission-critical data and applications on-premises. This is necessary in some cases, but not in most. If you allow the some to become the all, you'll be missing the train and your business will leave the station without you. For many, it already has.
In the cloud, software providers can immediately update or upgrade customers. Cloud security providers are similarly able to identify and patch threats and vulnerabilities across thousands of companies at record speed, thanks to the benefit of multitenant cloud architectures.
Financial institutions, for example, will want to maintain their "crown jewel" applications in their own data center, but when it comes to new applications, building infrastructure to maintain a Web application or mobile application simply makes no sense. Companies such as Betterment and Kabbage are using financial technology to push the limits on traditional banking, leveraging a user interface that appeals to the customer and allows those businesses to operate without the huge infrastructure of traditional finance organizations.
Plan for the Journey
As you begin your journey, enlist the help of public cloud and software-as-a-service providers. Learn how they think and operate. Check the "us vs. them" attitude at the door and be realistic about your own capabilities. Their reputations rely on their ability to execute, and to do it securely. There's a reason the National Security Agency, for example, turned to Amazon Web Services to build the NSA cloud — instead of attempting it on its own.
It's OK to learn as you go. Many organizations have approached the move to the cloud as they would any major IT transition. They analyzed it and tried to glean as much as they could about the cloud and how it's provisioned, managed, and secured. That's not all bad, but the traditional vetting and risk processes slowed them down. Ultimately, the lesson learned has been: just do it. Don't let outdated notions around security stand in your way to modernize.
So start with taking your low-risk apps — you probably have hundreds — into the cloud. As you take that first step, you'll begin to see dividends in production, efficiency, and cost, and they will only increase over time.
The Cloud Makes You More Secure
Once you get past the initial holdups, the cloud opens a massive opportunity to keep your users, applications, and data safe, thanks to the benefits of shared threat protection. You will need to hire talent that eats, sleeps, and breathes cloud to supplement your current workforce, but you will no longer be locked in competition for infrastructure, networking, and security talent with the likes of Amazon, Microsoft, or Google.
You don't have to make the entire jump at once. You can merge cloud services and applications into your existing infrastructure, chipping away at the legacy stack a little at a time. Trust those who understand the cloud, and hire people who know how to secure and take advantage of it; a few key people can have a multiplier effect. Just ensure that they are apprised of the future strategy of your business — it's a joint growing process. In the end, it's all about trust.
Cloud transformation is a business transition fueled by technology. If, like me, you see that there is no going back, the best thing you can do for your business and your own IT organization is to start now.
Related Content:
Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024