Working in the information security field, I obviously hear a lot about the cloud and its many security implications. There are definitely valid security concerns associated with cloud computing, but isn't the entire industry of information security based on the concept of securing information – no matter where it resides? Security professionals need to accept the cloud as simply another platform that must be secured in order to protect information.
Working with a variety of businesses, I have learned that each takes its own approach to embracing cloud solutions. While there are obviously some similarities between cloud acceptance and organization type, corporate culture seems to be the larger variable in play for the adoption of cloud.
This cloud culture seems to apply to any cloud solution decision, whether IaaS, PaaS or SaaS. Organizations are either all-in with cloud, dipping their toes in the water with cloud or avoiding it altogether. No matter what your current culture, I believe there is a logical transition that can occur to safely migrate to a culture of cloud acceptance. Just as CEOs can strive to change corporate culture within their organization to meet specific goals, CISOs and CIOs can evolve IT culture to help meet business goals as well. However, this should not be a forced migration because security issues as well as operational issues can occur. Both IT and information security capabilities need time to evolve and mature. As cloud culture evolves and matures within an organization, start with smaller initiatives and grow from there.
... there is a logical transition that can occur to safely migrate to a culture of cloud acceptance."
Successful transition to a cloud culture should follow a path that is driven by risk-based decisions where low-risk decisions are made first. If you are part of an organization which chooses not to invest in any cloud-based technologies, a great way to become comfortable with the concept of cloud (with minor risk) is to select a SaaS solution that contains minimal or no sensitive data. By starting down this path, you can develop information security processes to review cloud vendors and become comfortable with the overall concept of cloud.
When it comes to securing information, using a framework – such as the Cloud Security Alliance Cloud Controls Matrix – can help build information security competencies without reinventing the wheel. Vendor due diligence is critical. As well, information security leadership skills are required to influence both vendors and internal business resources to modify processes to ensure security is realized.
If the initial SaaS solution goes smoothly, other SaaS solutions should be entertained with increasing risk and correspondingly increasing maturity around information security cloud management practices. At this stage, the business and IT operations should be over the hump and further investments in cloud solutions can be pursued in line with your growing maturity of IT and cloud capabilities.
Obviously, low-risk choices around IaaS and PaaS could also be entertained if they pose no direct risk to the organization, but my experience has seen most organizations begin to accept SaaS solutions first, which then corresponds to a gradual culture swing which allows information security departments to adapt slowly and confidently.
Yes, there are risks with cloud, but cloud initiatives are here to stay. Therefore, every organization needs to adapt and change its approach to IT and security in order to safely reap the benefits. Begin the journey to the cloud by first engaging in low-risk solutions and grow from there.
Ryan Ward is CIO at Avatier, responsible for security initiatives as well as strategic direction of IAM and products.