Put on a happy face
Cloud computing has been changing the way organizations operate for over a decade now. Without a doubt, the technology has evolved, offering varying levels of benefits along the way; agility, resiliency, and cost savings are chief among cloud’s attributes, as far as business owners and CFOs are concerned. It’s not until recently, though, that security practitioners have also begun viewing cloud as a boon rather than a bust.
Ten years ago, security conference sessions were rife with attendees griping about the shadow IT effect and how it impacted information security. As the years went by, security controls started to be “baked in” to providers’ architectures more, but control was still a massive hurdle for security practitioners. Security teams accepted the cloud but still had to determine the best ways to secure data going into the cloud, assuming the security team had been made aware data was being hosted off site in the first place.
Grey skies are gonna clear up
Today, however, cloud computing, and along with it, cloud security, is undergoing an incredible transition at a tremendous pace, says Rich Mogull, Analyst and CEO at security research and advisory firm Securosis. Talking to InfoSec Insider during Black Hat 2016, Mogull said that cloud has been delivering on the promises of speed, flexibility, and economic savings to an extent, but some of the perks have been undercut by the need for additional resources required by the data owner to ensure proper handling and treatment of data once it has been migrated to the cloud. Now, companies are starting to really realize the benefits—along with better security—as cloud providers improve their offerings. But, Mogull cautions, all of this is only true if companies start re-architecting for cloud; trying to make legacy systems work with current cloud services is like trying to fit a size 12 foot into a size 7 shoe: it’s not going to hold up.
Companies that adopt and embrace native cloud architectures have an opportunity to transform how security is managed at the enterprise level “if we build it in the right way,” said Mogull. “Security needs to be involved” in building these new platforms, yet he’s concerned that “security is still hovering around the edges.” The most successful organizations, however, he shares, having trained a vast number of security and operations teams over the past six years, create a collaborative environment between security, development, and operations. If security pros think they’ve got it bad, joked Mogull, “operations is getting hit just as hard.” The business world is moving to a more developer-centric world as a way of producing things more quickly and consistently, and operations teams have to adapt in many of the same ways as security teams.
Brush off the clouds and cheer up
The key is to get in front of the problem and generate a proactive and collaborative approach, not allowing the legacy view of the security team to kick in and affect how other departments perceive working with security.
As Mogull warns, “It’s not all rainbows and puppies and unicorns,” but the shift is happening, and successful organizations are embracing the change, becoming a positive part of it, and working alongside development and operations teams as architectures are taking yet another groundbreaking turn.