Numerous other surveys, as well as Forrester's recent report, “Security and the Cloud,” show that security is the most prominent pain point with cloud computing, yet enterprise security teams often are not involved in the decision-making process or brought into the fold early in cloud initiatives. Instead, organizations often feel that because cloud computing is a new model, the strategy entails the reinvention of their security efforts. They believe that security processes must change so much for the cloud that we must wait for a new paradigm to be invented before deploying it.
As a result, many organizations have given up on securing the cloud and instead only deploy private clouds or hold off entirely because cloud security is too big a challenge for any one company to “invent” themselves. The truth is, all we need to do is apply the same established security best practices to new and more varied software layers.
Security policies, processes and best practices haven't changed. For example, the best practice of “least privilege” to provide users with only the access they need is just as relevant in the cloud. Additionally, the corresponding policies, processes and roles can remain the same as well.
What organizations must focus on to apply existing and established best practices to a larger diversity of software layers in the cloud is automating the process. The challenge is that now best practices must be applied not only to servers or desktops, but to each virtual machine, to hypervisors and more. It is time we stop waiting and start rolling up our sleeves.