ORLANDO, Fla. -- Misconceptions abound regarding the approach enterprise information security professionals must take in order to successfully address cloud computing security risks in their organizations. It's unfortunate when those misconceptions are perpetuated, even inadvertently.
During a keynote Thursday at the 2013 Cloud Security Alliance (CSA) Congress, V. Jay LaRosa, ADP Inc.'s senior director of converged security architecture, spoke about the extent to which individuals, enterprises and governments have become reliant on cloud-based services without realizing it.
Highlighting the long and distinguished history of ADP as a cloud services provider, LaRosa discussed how the vendor not only processes the payroll of one of out every six Americans and transfers $1.4 trillion annually, but also manages medical records, retirement and flexible spending accounts, human resources data, and tax filings -- in addition to providing a variety of hosted software products. Even though they never realize it, he said, the company provides essential services for millions of Americans via the cloud.
He also noted how even the U.S. government's rapidly increasing use of cloud computing has resulted in several cloud computing providers' infrastructures being deemed critical national infrastructures, meaning that their incapacitation or destruction, to borrow the bleak assessment of the U.S. Department of Homeland Security, "would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."
Without even knowing it, the general public has silently accepted cloud computing as a necessary and essential part of everyday life, yet according to LaRosa, many information security practitioners struggle to understand why businesses are adopting the cloud.
"If all of us by default have this level of trust in the cloud, why are we so uncomfortable when the business units come to us and say, 'I'm going to put this data out in the cloud'?" asked LaRosa. As he sees it, even though society has already come to trust the cloud tacitly, security pros still "push back" against enterprise cloud computing initiatives.
Jere JulianQA engineer, Cisco
"The problem isn't with the cloud," LaRosa added, it's with security practitioners' ability to evolve and accept it.
There's only one issue with that line of thinking: it's no longer grounded in reality.
It's no secret that businesses everywhere are diving headfirst into the cloud. Among more than 650 organizations surveyed this year by Gartner Inc., for example, 80% indicated that they intended to use some form of cloud services within the next 12 months, even though more than half of those respondents aren't using the cloud today. As part of its exclusive 2014 priorities survey, TechTarget, SearchSecurity's parent company, found that 38% of the 4,100 IT professionals who responded expect to grow spending in public and private cloud services, even at a time when many experts have a less-than-favorable economic outlook for the coming year.
This surge in interest is not lost on the information security community. As if near-record attendance at this year's CSA Congress weren't proof enough, several security pros confirmed that their organizations aren't afraid of cloud computing use. In fact, it's the exact opposite: Enterprise enthusiasm for cloud computing is at an all-time high, to the point where infosec teams are struggling to get out in front of the trend and manage the risk posed by ad hoc and poorly planned cloud computing usage.
Attendee Allen Rome, cybersecurity program manager with the U.S. Department of Energy, said cloud computing has evolved "past that point" where enterprise security teams must take on the task of gently ushering their organizations into the cloud. From his perspective, the growing number of cloud providers now obtaining Federal Information Security Management Act certifications has paved the way for government organizations, as well as enterprises, that had any last reservations about cloud security to begin their projects.
While Rome indicated that cloud computing security risks differ based on the services an organization wants to use, the industry emphasis has shifted away from whether to allow cloud usage at all. Now, Rome said, security pros have moved on to determining how to address the finer points of cloud governance, such as defining providers' security obligations, codifying them in a service-level agreement and preparing to deal with cloud security incidents.
Jere Julian, a quality assurance engineer with Cisco, said that what information security pros really need is information on cloud computing project enablers, and particularly how to build their reputations as trusted advisors who will help cloud computing projects succeed, not stand in their way.
"How do we switch from 'geek mode', which we do need sometimes, to be translators to help the business do what it needs to do?" Julian asked. He said infosec practitioners need education on how to speak the language of business and better understand what the organization needs, while also using their technical background to bring knowledge to bear about the providers, processes and policies that will successfully manage the risks.
To LaRosa's credit, he did acknowledge that information security pros must evolve to fill advisory roles, helping their organizations calculate, understand and mitigate the risks of cloud computing, instead of being the last checkbox or rubber stamp before a cloud computing project is pushed out the door.
"It's hard standing there watching the business do scary things. It makes us uncomfortable," LaRosa said, "but it's not our job to say no; we should never say no."
Yet if cloud security pros and IT industry observers alike haven't realized it, they should give the information security community a bit more credit: Many professionals already realize standing the way of cloud computing is an exercise in futility. The cloud conversation has been elevated in more ways than one.