Is Security Possible With The Cloud?
This series on network security is for enterprise organizations looking to have a more robust policy in place.
Let me start with a key premise: the Cloud is the future of IT overall, for all organizations of all sizes and missions. The Cloud will to a very large degree replace traditional IT infrastructures, driven by a desire to simplify scalability and, of course, to reduce costs.
We might think of the Cloud as the logical conclusion of virtualization itself, virtualizing the data center, much of the network, and reducing local IT requirements to a management console (which could be resident on a handset) and some number of Wi-Fi access points and their associated PoE switches. And, full disclosure: this is the future of my own infrastructure at Farpoint Group – everything that can be in the Cloud will be.
And – no surprise here – the number one pushback that I get when speaking on this strategy is security. You’re really going to put all of your data, much of which is sensitive and confidential to clients, in the Cloud? Really?
To be fair, security is, and always will be, a valid and primary concern for IT, and, of course, not just with respect to the Cloud. So let’s back up (so to speak) to another premise: absolute security is an abstract, theoretical concept. There is no such thing.
If it’s possible to access a resource, then compromise to that resource is also possible. And since the Cloud increases the number of possible avenues to accessing a given resource, there’s a huge question here: is security even possible for Cloud-centric IT?
Surprisingly, though, the answer is yes – at least once we back off, as we must, from the concept of absolute. Here are the keys to Cloud security that works:
- Security policy – First and foremost, the Cloud is just another element of IT, and your security policy applies here just as it does everywhere else.
- Keep control – Cloud storage, processing, and even security services are available today, but trusting security to a third party may not be entirely ready for prime time yet. It’s important to understand, manage, and control all security mechanisms – even, for example, if a carrier claims data to be secure, the use of a VPN under control of the organization is still advised.
- Monitor and audit – Monitoring, mobile cvontent management, and other network management tools are essential to assuring that sensitive data is accessed only by authorized users. Forensic tools that look for patterns of behavior that might indicate an attempted compromise are in their infancy, but this aspect of security will become common over the next few years.
- Have a backup supplier – And always have a backup supplier for all Cloud services, with procedures for a rapid cutover detailed in the contingency section of your Security Policy. This is for reasons of integrity as much as as for security.
The Cloud industry itself is becoming so large and competitive that security will undoubtedly become a centerpiece of many Cloud service offerings. The Cloud Security Alliance (yes, there’s already a trade group that’s recognized this eventuality) is already publishing best practices and related information, and we expect much more here in the near future.
Every day brings new reports of Cloud-based services being hacked and sensitive information being compromised. And yet the power of the Cloud is undeniable – global availability, write-once/run-anywhere, cost control, simplified collaboration, centralized information management, and much greater processing power and storage than are (or will ever be) available on mobile devices alone. But if the Cloud can’t be made secure, then none of this really matters. The incentive for secure Cloud operations, thus, is already driving the future.
All Posts In This Series: