News Stay informed about the latest enterprise technology news and product updates.

IT security must influence cloud computing decisions

Security professionals must advise decision makers not to embark on new cloud computing projects without considering the security implications.

Earlier this week I traveled to Gartner's Security and Risk Management Summit to try to get a sense of what's at the top of information security managers' agendas in mid-2010, a time when (hopefully) many businesses are pulling out of recession mode and ramping up long-delayed security projects.

I'm not sure why infosec's finest have suddenly become so enamored with the cloud.

There's certainly more overall optimism than I've seen in some time, but my most surprising discovery was that security pros can't get enough of the cloud. For instance, as I wrote earlier this week, I couldn't help but notice how a large audience of security pros was captivated by two Google Enterprise desktop security case studies, even though neither one offered much talk about security.

During a case study presentation about secure Web gateways, one of the first questions from the audience was whether the speaker's organization had considered a cloud-based gateway. And in my one-on-one conversations with attendees, the cloud was consistently one of the first and most enthusiastic topics raised.

So my question is this: Have you all gone crazy?

I'm not sure why infosec's finest have suddenly become so enamored with the cloud. Maybe it's the promise of across-the-board cost savings for IT. Maybe it's the simplicity of having fewer in-house systems. Maybe it's the pipe dream of making security of the organization's data someone else's problem.

As a public service to you, our readers, I wanted to offer a brief, far-from-comprehensive reality check. For starters, it should be noted there's no such thing as standardizing security for the cloud, because there's no such thing as a standard cloud. Outsourcing infrastructure, platforms and software all require different security measures. There are hosted public clouds, private cloud, hybrid clouds, community clouds... you get the picture. With cloud security, there's no one-size-fits-all strategy.

There are many other more specific points worth considering. Here are a few:

During one particular conversation this week, a security pro gave me the sense that the acceptance of the cloud wasn't as much about security as it was about obscurity. If I'm outsourcing data alongside hundreds of other companies using the same service, if there is a breach, chances are someone else's data will make for a much more attractive target. Sadly, just because you're hiding your data under the same rock as everybody else, doesn't mean it's any less likely to be exposed.

Let me be clear, by no means am I anti-cloud. Clearly cloud-based services are proving their worth in many realms from CRM and ERP to managed messaging and collaboration to sheer processing power, just to name a few. The cloud will without question be a big part of the future of IT, and security teams should start thinking about how they would ensure secure use of cloud-based services, because eventually it'll be something virtually all organizations will have to do.

My point is you're supposed to be the skeptics, the ones who offer caution to their enterprise's decision makers about jumping head-first into a new technology implication, especially when the short- and long-term security implications are often unclear. This isn't the time for a role reversal.

So while the cloud may seem (dare I say) sexy, don't be so easily seduced by the allure of low-cost services and worry-free security. The bottom line is, when it comes to cloud security, we still don't know what we don't know.

Dig Deeper on Evaluating Cloud Computing Providers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.