ORLANDO, FLA. -- Cloud computing technology is like a force of nature that security practitioners should embrace rather than fight, Symantec Corp. Chairman John Thompson said in a keynote Tuesday at the Cloud Security Alliance Congress 2010.
We as IT professionals have the opportunity to have meaningful conversations with business leaders about what they value most and what they value least.
"Don't fight Mother Nature. It's inevitable that applications will move to the cloud, it's just a matter of which ones," he said. "Embrace the change and manage the change in a way that's effective for your business."
When it comes to cloud computing, "the train has left the station," he said. "The ride is likely going to be as thoughtful and beneficial to us as it has been in the past 40 years." With all the industry infection points he's seen, cloud computing "doesn't scare me and it shouldn't scare you," he added.
Managing risk in the cloud requires a shift from a focus on securing devices and infrastructure to an information-centric approach to security, Thompson said. Security pros should be looking at what data is truly sensitive in their environments, how it's used, and who actually uses it.
"We as IT professionals have the opportunity to have meaningful conversations with business leaders about what they value most and what they value least," he said.
Taking the least important data and moving that into the cloud is a good place to start, Thompson suggested.
The problem of malicious code won't go away in a cloud environment, but neither will the human factor in security, he said: "As we move into the cloud, we have to think of that human frailty."
Thompson said there are technologies that can help in migrating to a public cloud environment, including data loss prevention. "Ultimately, it will be about continuous monitoring," he added.
In an earlier session at the CSA conference, Rich Mogull, analyst and CEO at Phoenix, Ariz.-based consultancy Securosis LLC, also spoke of a need to shift to information-centric security as organizations move IT services to the cloud. The building blocks for that include enterprise digital rights management, DLP, encryption, identity and access management and tokenization, he said.
During the same session, Chris Hoff, director of cloud and virtualization solutions of the security technology business unit at San Jose, Calif.-based Cisco Systems Inc. and well-known cloud security expert, warned attendees against applying yesterday's methods to tomorrow's technology. "We have to think differently and not think of cloud computing as a threat but a source for inspiration," he said.
Other sessions at the CSA Congress, which continues Wednesday, cover the topics of cloud security transparency, cloud identity and access management, and control and assurance in cloud computing.