As a security practitioner, it is critical to recognize the business objectives of floating into the cloud, and to communicate the benefits and disadvantages from the perspective of scalability, reduction of overhead, simplicity of infrastructure and disaster recovery.
As companies weigh the pros and cons of cloud adoption, they must consider the risk that their information could be on the same server next to bad neighbors that don't maintain their virtual systems.
A recent report conducted jointly by EMC's RSA security division and IDG Research Services interviewed 100 security executives at companies with revenues of $1 billion or more. Of these executives, close to half said they either have enterprise applications or business processes running in the cloud or will begin migration in the next year.
While many cloud and virtualization vendors these days often tout their patch management capabilities, enterprises need to be mindful that the customer is still responsible for keeping their virtual machines up to date. Security officers also need to be ready to ask pointed questions about how infrastructure runs, what the SLAs are on security, what kind of testing and certification is done on infrastructure, and what the levels of segmentation are within the infrastructure.
Unfortunately, the problem of cloud security is being exacerbated by the very economic climate that is driving CIOs to buy into the cloud model in the first place. That is, cloud computing in our current economy is being driven by cost savings. People are trying to load up as many of their applications as they can on individual servers. Whether they do that within their own environment or push it off into the cloud, it creates the same issue. And I'm finding that very often both network security and physical security are sacrificed in order to provide those savings.
While the benefits can be great, before you decide on a cloud computing solution, be sure to first figure out what your organization is willing to risk with its cloud security.