Is cloud computing inherently secure? Depends on how you look at it.
It sounds like a facile answer to the question, but security in the cloud really comes down to your approach to IT in general. That was the key takeaway from a recent ITWC webinar titled Security in the Cloud: A Whole New Toolbox.
Sponsored by Rogers, webinar hosts Jim Love, ITWC’s CIO and guest speaker Dave Gendron, strategic alliances director at Ceryx Inc., took a look at the pros and cons for adopting a cloud-based approach.
“Have a clear definition of the cloud,” said Love, adding that this is important, considering that security is the next area of IT that organizations are considering moving to the cloud.
According to technology research firm Gartner, the cloud-based security services market, which it defines as secure email or web gateways, identity and access management (IAM), remote vulnerability assessment, security information, and event management, is estimated to top $4.13 billion (U.S.) by 2017. And depending on the configuration, security in the cloud can range from a complete service, to an enabler of on-premise services.
Adopting a security-as-a-service approach is more than simply preventing malware threats, it’s about having access to an advanced system authenticating users so that the right people get the right data at the right time. A number of vendors, including Microsoft, are making their authentication systems such as Active Directory available in the cloud, Gendron said.
Love and Gendron note there are various types of the technology — public cloud, private cloud, community cloud and hybrid cloud — all with their unique strengths and weaknesses:
Public Cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Private Cloud: The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premise or off-premise.
Community Cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or by a third party and may be located on-premise or off-premise.
Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds)
The next step is around identifying the security profile of the organization. “It’s sounds wishy-washy but how you look at security has a great deal to do with how you feel,” Love said.
According to the webinar poll, 77 per cent define themselves as “realists,” where they are committed to constantly striving to improve and enhance their IT security environment. Taking a defeatist or denialist stance often translates to weak and underfunded IT security environment — a scenario ripe for security holes and breaches, notes Love.
The key to a successful cloud approach is understanding the strengths and limitations of the technology. “We shouldn’t expect the cloud model to cover all aspects of security. Find the gaps and then understand where the security gaps are,” said Love. Gendron echoed that sentiment, adding that security is a number one day-to-day concern.
In addition to understanding the various service delivery models, be it Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), Love offered that organizations will need to understand the associated security risks and benefits of the cloud.
For example, Gendron and Love noted the benefits of reduced of hardware and maintenance should be balanced with an understanding of the potential loss of goverance, along with being fully aware of the associated compliance and legal risk issues.
Most importantly, Gendron and Love noted IT organizations should understand that, more often than not, having the right technology partner matters in ensuring a successful implementation and deployment: “Partners are an essential part of the journey to the cloud. How well you understand, evaluate and work with your chosen partners will have a major impact on your success.”