Wanted: Real security for the cloud | SC Media
Architecture, Cloud

Wanted: Real security for the cloud

May 29, 2013

Even by the hyper-accelerated pace of the technology industry—where innovations move from core player to legacy overnight—the speed with which cloud infrastructure has become embedded in corporate America is truly remarkable. According to market analysts at Gartner, server virtualization accounted for just 12 percent of workloads in 2009 and 50 percent in 2012.

This is less a shift than a systemic transformation. It's not just application servers but databases, network switches, storage devices and firewalls being virtualized. Every kind of mission-critical application, along with vast amounts sensitive data, is comfortably at home on the virtual stack.

So what's the problem? Security.

It's not as if the issue has been relegated to the back burner. Corporations everywhere are allocating greater resources to this sensitive area. However, the cloud represents an entirely new approach to enterprise computing, and what we have are recycled presents in new wrapping.

Many security technology providers still offer tools rooted in the world of physical security. Endpoint solutions, data-loss prevention (DLP) technologies, network security monitoring packages, compliance-level configuration software—the list goes on. It's a past-life approach to next-generation problems.

There have been adjustments. Some security solutions now carry features tied to aspects of the cloud, such as virtual firewall solutions and agentless anti-virus using hypervisor APIs. But these add-ons don't go nearly far enough, and many don't even go that far.

To get to a better place, it helps to understand the reasons why this discrepancy exists.

First, the benefits to be accrued from a shift to the virtual stack are so pervasive, transparent and immediate that even conservative CIOs have opted to move rapidly. Cloud computing has achieved mainstream maturity in part because many enterprises launched migration initiatives on the basis of cost savings and consolidation, then saw it evolve into a next-generation software foundation. In this equation, security gets short shrift.

Second, the original positioning around cloud and virtualization software and services emphasized different issues. Back then, it was still hard to conceive of entire infrastructures residing in the cloud. But as the migration gained momentum, the market-facing functionality—all the capabilities that got attention when the technology first arrived—took precedence, and security got left behind.

Finally – and this is the real problem – it takes security providers considerable time and resources to re-orient their R&D efforts to focus on a new platform. The only incentive in making such a major shift is if there's a market need, which means the market is there first. Conventional wisdom holds that the technology industry is always on the cutting edge, but here we have enterprise CIOs ahead of the curve. In fact, I'd estimate that most vendors are two to three years behind the curve in developing optimal security solutions for a cloud infrastructure.

So where does this leave us? Specifically, what can CIOs do to protect their precious, cloud-based assets?

Let's understand the stakes involved: A ten-fold increase in cost savings carries a hundred-fold concentration of risk. Can you imagine a single disgruntled employee deleting 88 virtual servers with a single click from a McDonald's Wi-Fi connection? It's already happened.

In this environment, it's not enough for security vendors to offer development road maps where virtualization gets a few bullet points. It has to be the core.

CIOs should demand that cloud computing become the centerpiece of every security conversation and strategy. Just as cloud infrastructures are the norm, not the exception, security providers have to offer a portfolio that features foundational technologies that ease the adoption of multi-tenant private and hybrid clouds while automating risk mitigation and compliance. The essential goal should be to create automated security in virtualized data centers and private clouds.

We don't know who's going to take the lead here—industry giants, emerging startups, new players. After all, many breakthroughs come from smaller firms that don't have well-funded research labs. For everyone from VMware to top-tier security providers, it's time to join forces and offer package solutions.

In the next two years, 75-80 percent of enterprise infrastructures will be in the virtual category. Will there have to be high-profile doomsday scenarios before true innovation is deployed in securing virtual resources? Let's hope not. We need to get to work.

prestitial ad