So with that in mind, I've come up with a five "talking points" to get you started seriously thinking about where and how security fits into the cloud decision-making process:
Not all clouds are equal - The different models for cloud service delivery (IaaS, PaaS, SaaS) have different requirements of the customer when it comes to security. The less control you have the greater you must rely on the security practices of the provider. Understanding where the lines are drawn and who is responsible for what is vital before moving anything of value to a cloud.
Inside the firewall does NOT mean secure - Private clouds arent necessarily free of the security concerns that plague public offerings. While a private clouds may seem more secure, they may introduce new threats and vulnerabilities that need to be understood. Even a locally hosted private cloud represents a potentially high concentration of data and services, which may have been far more distributed in the past. Understand the security implications of who now has access to that private cloud, where it is hosted (internal or external) and what systems are coexisting.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i It's still your fault - While the benefits of cloud may be that you need to worry less about how computing resources are provided, there are no free passes when it comes to compliance and legal responsibility. Healthcare providers should take special note: the costs and bad publicity of breach of healthcare data you put in the cloud is still going to land firmly on your doorstep even if you believe the provider is at fault.
Cloud is disruptive - What you did in the past may not work in the future. Cloud presents a way for business units to quickly provision systems and services, utilize resources, and de-provision those same systems so quickly that traditional approaches to good governance, security and due diligence are unlikely to keep pace. If you have security and compliance challenges now, cloud computing will simply accelerate the problems and pour gasoline on the smoldering fire. If its bad, Cloud will make it worse, faster.
Rethinking security - Cloud is a huge opportunity to redefine the way security and business units interact. While the technology may have been around a while, the way it is going to be used is new, and that change gives security teams, and smart CIOs, a way to reset the clock on the security/business alignment problem. Security teams will have a chance to take ownership and offer meaningful guidance to their business stakeholders on the right way to consume cloud services, the best practices to keep data secure, and what to look for in a cloud provider. But they better start doing it now, because the business users are already on the move.
Geoff Webb has over 20 years of experience in the tech industry and has provided commentary on security and compliance trends, and written on a number of related topics for many industry journals like CIOUpdate. Geoff is a senior member of the product marketing team at Credant Technologies. Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB.