Whenever you mention the world "Cloud" to an experienced IT infrastructure professional, he or she will likely talk up the dreaded "S" issue as a major obstacle that will derail Cloud ever really being widely adopted across enterprise processes.
Quite simply, Cloud computing represents one of the biggest opportunities and threats to IT professionals today. However, spend some with the CTOs at the likes of eBay, Amazon, Salesfore.com etc., and their eyes will light up talking about their intense development programs, where they are training young IT talent to learn how to Cloud-enable applications that can underpin many different types of business processes.
Cutting to the chase, where industries such as IT services are rapidly commodotizing, don't they need a new wave of innovation to drive new development, new thinking and new energy to create new levels of productivity and top-line growth into enterprises? Having business processes enabled to be provisioned on-demandin the Cloud is a massive disruptive opportunity for both providers and buyers of global business/IT services. Our forthcoming research wave on Business Process as a Service (BPaaS) is fleshing out the potential versus the reality of this happening (stay tuned).
Anyhow, we did want to get the "S" issue firmly on the table for discussion, so asked our new expert contributor, Andy Milroy, to weigh in with some of his perspective here...
Cloud Security – A Pleonasm?
The IT industry successfully generates billions of dollars each year by selling us security products and services. Security always plays a major role in any corporate IT purchasing decision. But, we are still a very long way from securing our IT environments.
Most security breaches are caused internally by employees or other authorized users of corporate systems such as contractors. It is these groups that are most likely to compromise the integrity of our systems, not external hackers. In spite of this, much more focus tends to be placed on external threats. Each time I work on a client’s site, I am struck by how easy it would be for me to compromise their systems. All I would need to do is insert a thumb drive with malicious code into a USB port and, hey presto, I’ve undermined hugely expensive security investments.
It is reckless to allow employees and contractors to carry highly sensitive data around with little consideration of the consequences of losing the laptops and smart phones that house the data. Amazingly little focus is placed on addressing this particular security threat.
Indeed, enterprises do not sufficiently focus on changing the behaviour of their users by making them aware of security policies and the reasons for those policies. Few ensure adequate control of basic access to their physical premises and to end points that form part of their network. As mentioned earlier, it also seems as though few enterprises track the location of sensitive data that physically moves around with employees and contractors.
Ensuring that everybody who accesses enterprise networks is trained to follow appropriate security policies is an extremely challenging task. For this reason, it is necessary to consider other ways of mitigating the risk of an employee or contractor from compromising security.
One way of doing this is to source as much of the enterprise’s computing resources from the cloud as possible. Managing the security of heterogeneous on-premise IT environments is a highly complex and almost impossible task. Minimising the amount of on-premise resources that a corporation manages mitigates risk associated with security breaches enormously. Ensuring that data is stored in a secure environment (in the cloud) rather than on portable devices such as laptops and smart phones also enables corporations to mitigate risk.
Cloud computing, and I mean public cloud computing, allows us to mitigate risk and in many cases offer greater security that can be provided by spending millions of dollars in an attempt to secure on-premise resources.
Multitenancy and virtualization do indeed add a lot of complexity to providing levels of security that many enterprises require. However, public cloud services providers such as Google, Amazon, Microsoft and Salesforce.com focus heavily on ensuring that their datacenters follow best practice security policies and are using the most up to date security tools. Security can also be tied into service levels.
So, using public cloud services can offer more security than keeping data and other computing resources on-premise. These services can also reduce the amount spent on security massively. Perhaps this is the reason why many in the IT industry are keen to dissuade us from using cloud computing.
Security is always a challenge. But, there is little evidence to suggest that using the public cloud is less secure than the traditional on-premise form of computing. In fact, there is more evidence to suggest that using public cloud services can, in many cases, mitigate security risks that exist with on- premise computing alternatives.
The cloud model of computing is much better positioned to address today’s security challenges and concerns than alternative models. So, will the term cloud security soon be considered to be a pleonasm?
Andy Milroy, pictured here, is Expert Contributor for Horses for Sources Research. You can access his bio here. He likes to be tweeted at @andy1994