Cloud computing security: A requirement, not an afterthought
Security professionals, however, whose deep-rooted skepticism is often a necessary evil of the job, focus on the cloud's potential to add new complexity, risk, and points of exploitation into their IT infrastructures. These concerns usually stem from two key aspects of cloud computing – storing data on someone else's hardware and the sharing of that infrastructure with other users on a massive scale.
In the cloud, it's difficult to physically determine where data is stored. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. Layer the multi-tenant aspects on top of that, with users spanning different corporations or trust levels interacting with the same set of computing resources, and the problem becomes further complicated, creating more opportunities for misconfiguration, in not malicious conduct.
Security is not a binary state, it's all about context. There is simply no reason why a cloud infrastructure with the proper design, controls, and procedures matching the stored data cannot offer the same level of security as an on-premise environment. Moreover, the many benefits of cloud computing are simply too powerful to ignore -- doing so in the name of cynicism is a disservice to the company.
But no new technology with the power to reduce costs and improve efficiency gets a free pass from the auditors. On the contrary, these new tools should be thoroughly scrutinized from head to toe. Security assessments are an important step to enable new business innovation by identifying risk and ensuring the business achieves its goals without putting the organization in jeopardy. Yet more importantly, security, which is often seen as an inflexible barrier, must cease being a function that stops business activity after deployment. We can no longer afford to be reactionary; it is costly and inefficient.
There is still an opportunity to break into the cost and complexity escalation by rethinking the way we approach the problem. This requires careful planning by both cloud providers and enterprises, with design decisions that stretch across four areas: trust, transparency, terms, and technologies.
A secure cloud is ultimately built on trust, sustained by an open exchange of information, forged by a mutual commitment to sharing risks and rewards, and equipped end-to-end to overcome threats. Thus, it's critical these environments are created with true end-to-end security.
Cloud computing has given security architects the green light to drive home important requirements and shape the way that cloud offerings are ultimately built. And since a majority of the capabilities in a cloud infrastructure are implemented and maintained by the provider -- the data custodian -- and not the end user, security very much hinges on the provider's willingness to invest in the proper controls. It's in their best interest to do so.
First and foremost, baking security into a new technology is more effective and ultimately cheaper than trying to bolt it on afterwards. We only need to look at past experiences with network protocols, operating systems, and even programming languages to make the case. Integrated security is more easily consumed and less complex. This is especially important for the cloud, where complexity is enemy number one. Purpose-built, modular security capabilities allow us to reduce the problems to manageable parts and more effectively add, remove, or modify security services as needs evolve. Once a complex architecture is placed into production it is very expensive and often impractical to change.
First-rate security is also good business. Enterprises hate being surprised, particularly when it comes to their sensitive data. Just ask those who have had their customers' personal information unknowingly shared with a third party or compromised by a security breach.
Offering a cloud service with adequate security controls from the start is a better position to be in. Most importantly, in a world where standardized cloud services are the end game, cloud providers can use features such as enhanced security as a major competitive differentiator.
Maybe our unwillingness to build new technologies with security in mind is due to a lack of understanding of the potential threats that may result? That is not the case with cloud computing, seeing that everyone understands the major consequences -- losing control over data and operations is unsettling and data transferred to a third party can be modified, lost, or stolen. For security professionals, our work is cut out for us. But with the proper planning up front, cloud computing can be a safe, effective way to manage ubiquitous computing while still trimming the bottom line.