You realize the overarching benefits of the cloud, but you are a bit wary regarding the security of any data stored and transacted in these virtualized environments. But the cost-saving benefits and user preference and resource delegation of the cloud are such that not integrating some processes, applications and data is counterproductive to your overall IT strategy. So you decide that a private cloud is a more secure route that its public counterpart. But are you really any more secure?
The quick answer is no. But not for the reason you might think. A private cloud is infrastructure operated solely for a single organization. The only difference is that your data is segregated from any other organization. And if that brings you any semblance of peace, then it’s a good investment. It all depends on your business need. It offers greater control, but means you shoulder all the overhead, updating, risk management and related costs. And if you factor in the compliance requirements for financial or healthcare related companies, it might be the better option.
But, the thing is, it is still a server. It is still prone to all the issues on-premise and pubic clouds in terms of intrusions, attacks, user carelessness and resource deficiencies. It is as vulnerable (or protected) as the alternative counterparts. The only difference is the means of security you apply towards protecting it. You can build the most sophisticated on premise security solution, but if you leave a window open, data will still leak, unwanted intrusions will still get in and George from sales will still log into your network from his unsecured iPhone.
So let’s be clear. From a platform security perspective, it does not matter whether you choose public, private or hybrid clouds. It matters how you protect it; which can also be effectively managed from the cloud. And depending on your preference, a cloud-based security management should be able to equally protect and support any cloud or on-premise configuration.
If you assume your SaaS-based CRM, payroll or inventory shipping applications are well protected by the developer, you are equally inviting problems. According to new guidance from the National Institute of Standards and Technology, YOU and not your providers have ultimate responsibility for the security and privacy of data stored on the cloud. The SaaS developer are responsible for their infrastructure, not your data or who you provide access to that data or how you transit the data from endpoint to endpoint…unless the service you invest in is a cloud-based security-as-a-service.
Cloud-based security can be seen as having your cake and eating it too. You benefit from a diverse portfolio to meet your specific business needs and now you have another resource that allows you to gain best-of-breed, enterprise level power, capabilities and control. You have a way to monitor your public or private clouds (or your complex integrated networks) 24/7/365 or create multifactor authentication barriers to access intellectual property. With the right processes and rules, you can create and seamless layer across multiple servers and infrastructures that connect each independent silo of data that can differentiate roles, traffic patterns, context and data sensitivities. We are talking a combination of intrusion detection, log management audits, identity and password management and SaaS single sign on and web authentication services.
Before the maturation of cloud-based security, ensuring the security of any cloud-based application could be problematic. There was significant investment and limited budgets for in various software, time commitments, expertise and the great unknown of how dedicated the application developer was in the security of your data. To secure just this aspect of your business, you were looking at a 2:1 or 3:1 ratio of professional services on top of the licensing and required hardware installs. Now that security-as-a-service is not only an emerging (and tremendously cost-effective alternative) but tested choice, it provides a great latitude in terms of being able to properly keep in lock step with the challenges posed by applications…public, private and legacy.
So when deciding whether public, private or hybrid clouds make more sense for your organization, know that your choice should be dependent on the best option for your specific need. There are plenty of experts willing to weigh in on best practices for each. But when it comes to security, make sure you have the flexibility and scalability to securely manage your quickly disappearing perimeter.