By Kurt Roemer and Christian Reilly
Through a combination of genuine concern and an unhealthy amount of fear, uncertainty and doubt, the advent of early cloud computing was initially heralded by traditional IT organizations as the beginning of the end of security. As time has passed and maturity levels have grown, is it safe to suggest that cloud computing is now being viewed through its silver lining as a rebirth of security?
In this post, a follow up to our previous blog, we explore some key questions. What’s the reality of the cloud today? What’s changed to enable strong cloud-based security use cases? And what’s required and recommended for critical business functions and sensitive data to be protected in a trusted cloud?
All those initial doom and gloom predictions of early cloud computing have given way to more considered realizations that, in certain areas, cloud computing can indeed provide some very substantial benefits over the traditional enterprise computing model. But, with all new and emerging paradigms, there are always two sides to the story.
Let’s take a brief look at some of the prevailing pluses and minuses that continue to make cloud computing so polarizing.
On the negative side of the cloud equation, many in traditional IT believe that clueless users are:
On the positive side, end users might not be so “clueless”. Professionally managed cloud services can make applications more performant, cost effective and geo-specific, while delivering a level of security that’s prescribed, transparent and consistent (as carefully defined in the terms of service). Users adopt the cloud service willingly because it’s not the same old arduous and expensive one-size-fits-all model as promoted by IT. The cloud service simply removes many of the unnecessary IT barriers and makes it easier to get business done directly.
Both sides have valid points. And working towards integrating and automating requirements for securing sensitive data is exactly what’s needed. Let’s make that happen.
While most applications and data benefit from the security and cost models of a professionally managed cloud environment, today’s public clouds are not appropriate for everything. Cloud-unfriendly use cases include a combination of: materially-sensitive data that must never leave the concrete bunker, contractual obligations that specify onsite governance and demands full end-to-end physical control, as well as life-and-limb requirements for true offline access. Additional concerns are that rogue administrators can access data and manipulate services, data that’s accessible can therefore be stored and moved anywhere, and that encryption must be always-on to be ensured for data in storage, in transit and in use. These issues are unfairly attributed to the cloud, when they’re also huge concerns in enterprise access models.
Much business is being conducted in the cloud today, even for sensitive applications that include payment processing, sales opportunity management, employee benefits, human resource management. While large organizations are often more tactical in the use of clouds, small and medium businesses have found that a “cloud first” model gives them the resources and cost structure to compete while assuring security, privacy and compliance in ways they never could have realized onsite.
The short answer is that cloud providers – from infrastructure to platform to apps and services – have addressed specific security use cases and concerns. There are clouds certified for PCI DSS, HIPAA and US Government usage via GovCloud. Most cloud providers also have zones to manage geo-specific availability, privacy and data sovereignty. Security services such as Cloud Application Security Brokers, Web Application Firewall, policy management and directory services are integrated with cloud providers and services Multi-party administration has delegated and clearly delineated responsibilities, furthering the principle of least privilege for administrative access. Encryption has evolved into rich platform and customer-managed feature sets. Rigor of process, transparency and rich reporting features prove the value of a professionally managed cloud for security use cases.
The cloud has indeed become a mature platform for security.
Tips for driving security sensitive workloads into the cloud include:
Tech Tip: Are your users going direct to consumer-grade cloud services? Setup redirect policies on your load balancer to inform them to use enterprise-approved services instead, and automatically redirect them to the appropriate app.
Chief Security Strategist
VP Chief Technology Officer Workspace Services