I was watching fireworks over the Pacific Ocean last night (one of the benefits of living near the California coast). The Navy Band was trumpeting patriotic music and thoughts of freedom and liberty swirled in my head. That’s when it occurred to me. Cloud computing is independence for many companies: freedom from costly infrastructure; liberty of enhanced mobility and storage; emancipation from ongoing updates and maintenance; the autonomy to scale and automate; the sovereignty to grow businesses based on need and innovation rather than anchored simply by budget and bandwidth.
But cuteness aside, there is a degree of independence provided by the cloud. But just like democracy, managing in the cloud comes with a price, or more specifically a responsibility. With the many benefits provided by the cloud, security issues still need to be addressed. Just having data and application functionality in the cloud may provide new flexibility and the ability to enforce consistencies throughout the enterprise, but processes for control, monitoring and anomaly mitigation still need to be applied and maintained. The cloud application you use might have great security controls, but in the end any data you generate, store or transact is yours to secure…not the application vendor.
The good news is that these security issues and functions can also be managed and effectively enhanced from the cloud. This means the receipt of the same benefits provided by these lithe applications can be realized by migrating some or all security management functions to a virtualized environment. Security-as-a-service provides a greater sense of independence and an expanded mode of control over the disparate, disconnected and sometimes unprotected elements of the enterprise.
The cloud managing the cloud…seems like an oxymoron, right? Wrong. I am hoping we’ve moved beyond the argument of whether the cloud is a best practice or at least an accepted business practice. A vetted security-as-a-service can provide the necessary capability, control and cost-savings while removing a burden from overtaxed and overextended IT staffs. And not just for SMBs. Larger companies (especially those bound by unique compliance issues like healthcare, finance, retail and even government entities) can take advantage of cloud-based security and generate the necessary ROI and secure influence over all or parts of their enterprise.
First, cloud-based security is more that being a watchdog for your salesforce.com or Dropbox accounts. It can be a gamer changer-a fully realized security environment that addresses data and applications on public clouds, private clouds, hybrid clouds and even legacy, on premise networks. It can monitor every ping, burp and hiccup that touches your network in real time. It can create escalations, alerts and effective remediation without the need of human intervention. It can provision and prevent access to some or all of your data. It can authorize, maintain credentials, and streamline identities. It can facilitate encryption in data at rest or on the move. The promise of security-as-a-service is that it provides comprehensive and integrated functionality across the enterprise. A true cloud-based security initiative must be more than SIEM; more than single-sign on, more than password and access management. It must incorporate all these things.
Second, most companies take security very seriously-especially in terms of storing their data or maintaining the sacrosanctity of that proprietary intelligence while in transit. They understand how important it is to keep their networks intrusion-fee. Problem is IT is a big family and there are so many mouths to feed. Even as many companies have teams dedicated to security issues, too many don’t have a dedicated person, but rather line item in an overall job description. This is the way things fall through the cracks. And I don’t think I am talking out of school here-many CIOs and CEOs have said the same thing. Again, security-as-a-service, with all of its best-of-breed capabilities and behind-the-scenes 7/24 monitoring, creates the necessary automations and controls that allow an organization ( who doesn’t have a dedicated security officer) the confidence that security issues aren’t relegated to hair-on-fire priorities.
Once you have agreed that security-as-a-service delivers the necessary protection, then the question begs how do you determine which partner or vendor is right for you? Although there are several markers for which you can evaluate (cost, service scope, proven viability, etc…), I think the key to success is finding a partner that matches your business needs: one that has the track record of integrating a single piece of the security puzzle or help launch a comprehensive solution from the cloud. And, of course, one that helps you reach a sustainable level of independence so you can concentrate on other priorities.
And if you have the time, listen to an interview I gave over at The Cloudcast with Cloud Computing experts Brian Gracely and Aaron Delp:
Happy Independence Day!