In Cloud We Trust

It wasn’t too long ago the very thought of security in the cloud was a challenging barrier to adoption. How can you secure a thing so vaporous and intangible? It scared off a lot of companies (especially SMBs and midsized) that would have felt the immediate financial savings and productivity gains from the various applications and solutions that were deployed from this nebulous place called the cloud. That barrier is cracking.

Earlier this week Microsoft released a study of SMBs that found the move to cloud is facilitating the adoption and use of more advanced security technologies. According to the study, 35% of US companies found security measures to be highly improved after migrating to the cloud. Better yet, 32% noted that move to the cloud has decreased security issues to the point where an SMB can focus on more important things.

This begs the questions. How? What has changed to dispel the concerns and myths that prevented some companies from migrating? Well, obvious is the fact that early adopters are seen reaping the benefits without the catastrophic repercussions espoused by doubters. The survey even notes 42% of those companies surveyed were able to expand into completely new markets as a result of their cloud migration. But the key reason is the resources cloud-based application companies have shifted to ensure their offerings have improved security features. However, it doesn’t supplant the need for a company to ensure the security on their side is up to the task. Think of it like installing a bug zapper and hoping it catches all the flies before they fly into an open window.

But the news is all well and good for SMBs say the naysayers. It seems the cloud was tailor made for companies that could not afford to build and maintain massive application infrastructures like a Fortune 1000 company. It provided expanded functionality at a reasonable cost. The impact of failure is far less reaching and the tradeoff between risk and reward is much bigger (low risk, high reward). Or so they say.

I belong to several LinkedIn cloud computing groups. In one a discussion called “Is the Cloud Trustworthy,” most of the professionals agree that it is with some caveat reservations (storage, encryption, multi-tenancy issues). What this says in a microcosm that cloud computing is definitely making strides, but there still is work to do in terms of education. One analyst said it right: “Some enterprise companies believe their data is better protected behind their own firewall because they don’t truly understand how a cloud is structured.”

In that respect, there is a lot of discussion and chatter about security for the cloud. But what about security managed from the cloud.

Here is the rub. Security is only as good as the processes, monitoring, and administration–whether it comes from the cloud or not. Look at some of the biggest breaches in the news lately-Global Payments, State of Utah, Sophos…all home grown systems. Would the cloud-managed security have made a difference? Probably not, because in each case it wasn’t the tool or solution that failed, it was the process or the administration or the lack of monitoring. If you can concede that cloud-based security solutions (regardless of whether they sit on public, private, or hybrid cloud configurations) are as good and as thorough as any brand name or home grown system, then the decision to migrate security functions to the cloud rests with functionality, cost and control. Oft-voiced issues like multi-tenancy, encryption and storage are addressed in a well- developed cloud-managed solution. If a provider can demonstrate mastery of those challenges

You can have the fanciest, most elaborate rock-solid system in the world, but without the rules to give it context, without processes to provide the action plan, without the vigilance of 24/7 monitoring and without the expert analysis to ensure continuity, connectivity and compliance , all you have is a big expensive paperweight. What makes security truly effective is the service.

Part of the allure of security-as-a-service is the not just the lack of hardware or software investments and instant scalability, but the built-in automated processes like SIEM monitoring and alert rules to mitigate intrusions, SSO to channel inbound and outbound application access, identity provisioning/de-provisioning based on roles, password management self-service and a host of others. Most important is the luxury to shift administration capabilities (not control) to seasoned analysts that serve as an extension to your own staff. The idea that enterprise-grade security can’t work for and from the cloud is just dated thinking.

There’s a funny animated video I came across in which the cloud salesman repeatedly responds to the continued questions about security, “Our cloud is secure, that is all you need to know.”  Well, with the reality of cloud-based security, the answer is not as glib. Through the innovations and maturation of several security-as-a-service alternatives, the capabilities to match many of the best-of-breed deployments exist. And it doesn’t require a wholesale move to the cloud. The best solutions allow leverage of existing systems, or the addition of modular cloud-managed components to enhance existing initiatives.

But marketing speak aside, not all cloud vendors are alike and you still have to do your homework to make sure any cloud expansion (especially concerning security) is a fit for your needs, your budget and your vision for the future of your network.

Kevin Nikkhoo
Truster of Clouds!

Tags: , , , , , , , , , , , ,