Shifts in security that the cloud demands
Dave Hansen, corporate SVP & GM, security and compliance business unit, CA
There is no question that the most discussed topic in the IT industry today is cloud computing. The buzz in the market about cloud computing would make you think it is fast-tracking its way to widespread adoption. However, studies by a number of sources have shown that security is the biggest barrier to cloud adoption.
But isn't cloud computing just another step in technology evolution? Didn't we face similar adoption concerns when we first incorporated mainframe, client server and web applications – all of which still face their own security challenges? Security concerns did not stop the progress of technology adoption, largely thanks to the associations and vendors who continue to develop technologies, standards and best practices that help us securely use technology to solve business needs. And they won't stop the cloud.
To secure the cloud, it needs to be treated for what it is – the next evolution in technology. Still, cloud security does bring into play some interesting shifts in an organization's security paradigm, and those shifts will vary in degree depending on the type of cloud model that is in play – private, public or a combination of both.
The security professional also may see his or her role shifting so that his organization can securely adopt a cloud model.
For example, whether the security team sees the cloud as a secure model or not, the perceived business benefits of a cloud deployment may outweigh the risk. Organizations also may see various lines of business taking matters into their own hands and engaging in cloud services to get a job done quickly and sometimes for less cost than the traditional corporate method dictates. This could range from a one-time cloud service to a development project where intellectual property is stored in the cloud.
Renegade cloud deployments are not something a security professional can tolerate. To help alleviate the chance that individual departments will break protocol, security professionals should be seen as rational advocates and an enabler for the cloud. Systems should be put in place so the organization can embrace the movement in a controlled manner with approved cloud providers and guidance on what type of data and applications can move to the cloud.
Security professionals also may find themselves collaborating more with the legal team as movement to the cloud will drive more detailed contract negotiations. Depending on the cloud model, contracts may need specific language about breach liability. Even though in the court of public opinion it will be the organization that is responsible and accountable for security and compliance, there may be opportunities to contractually share responsibility.
During the RSA Conference, the CA keynote on March 3 will feature industry luminaries from Acxiom, Amazon Web Services, Lockheed Martin Information Systems & Global Services, and the Ponemon Institute. Those leaders will join me on stage to discuss how the cloud model affects security and compliance initiatives. They will address whether cloud really is a barrier or can this model be viewed as more secure, similar to how many view the mainframe. They also will touch on the issue of compliance and how that is managed in the cloud.
This is an exciting time to be working in the security sector. With new technology adoption, the many threats to our IT environments, and the various avenues where the wrong people try to gain access to data, systems and applications, there is much work to be done to secure the systems that run our global economy.
Dave Hansen is the corporate senior vice president and general manager of the security and compliance business unit at CA In this role he is charged with growing CA's security business focusing on identity and access management and security event information and log management. Hansen previously was CA's chief information officer and security reported into that office.