Strategic approach to security in a cloudy environment
Security remains one of the liabilities of the cloud–but expect that to change.
Cloud use is growing even faster than expected. A September study of members of the Open Data Center Alliance concluded “that organizations are embracing the cloud at a 15 percent faster rate than previously forecast.” Among these respondents, the leading reason cited for such adoptions was “on-demand self-service”, while much the biggest impediment was “data security”.
This particular survey, like most, appropriately focused attention on the mainstream of information technology (IT) projects: the large, on-going, strategic ones, especially. At the same time, Nick Hardiman makes the case that the cloud will become the default answer for all of an organization’s marginal players–the same population that earlier adopted minicomputers and then PCs as expedients for getting jobs done without having to wait on centralized IT. The outcome, Hardiman rightly observes, will be the same tension between IT’s mandate for security and consistency, and departments’ urgency to “get the job done”, as before. This time it manifests as negotiation over how to punch holes in firewalls from corporate assets to cloud-based services. That this “causes security risks, costs money, leads to sloppy work, and unsupportable systems” is nearly inevitable, because all the alternatives are worse. Hardiman can only conclude, “There is no easy answer.”
There are at least two rays of hope, or, more precisely, possibilities worth pursuit. The hard question is, “how do organizations access cloud services where security is outside their control?” One consideration is that security has a chance to improve with moves to the cloud. Scott Fulton, for instance, makes the case that cloud environments actually experience almost an order of magnitude fewer attacks than in-house applications: “… hosted and cloud environments know how to secure applications, and [they] deploy countermeasures,” in the words of Urvish Vashi, vice president with Alert Logic. Casual vandals much prefer to go after the desktop environments within an organization’s firewalls, because they remain easier to crack.
Eran Feigenbaum, Enterprise Director of Google, recently made a related claim: “cloud computing, compared to most organisations [and] what they’re doing today, is probably more secure.”
On one hand, then, IT should console itself with the proposition that cloud providers take responsibility for security, and are in a better position than in-house IT to keep up with the latest threats and countermeasures.
At the same time, IT increasingly recognizes that it provides not just applications to its organizations, but also application programming interfaces (APIs), or at least datafeeds. Progressive IT knows that it needs to deliver APIs securely–and once those are available, they make for a healthier answer to the departments looking to the cloud for self-service.
The most favorable interpretation of these trends, then, is that internal IT can focus on shoring up security for its core assets, as well as security for controlled access to them through published APIs. Organizations will increasingly rely on the cloud, but count on the latter to be at least as secure as what internal IT achieves.
The conclusion for progressive IT: become expert at judging the security of cloud vendors; and plan the security of your API projects as a strategic requirement.