Your Security is Already Compromised

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Row upon row of stubby-winged black and white penguins teeter on the edge of the ice, peering down into the churning water, trying to see if a hungry leopard seal is laying in wait just below the surface. They want to go, but at the same time, they can sense the unseen danger -- happier to let someone else take the first plunge. After all, as I'm pretty sure every penguin would agree, better them than me.

Sound familiar?

So to the corporate world teeters on the edge of traditional computing models and peers, beady-eyed and skeptical, into the cloud. It's not surprising, given how little is really known about the risks. Are there, in fact, predators lurking; just waiting to rip into your vulnerable data stores, and fillet your critical services the minute you take the plunge?

Well, maybe. Maybe not. But you see, that's not the real problem. The real problem is that as an organization, in all probability, you're already in the water and paddling.

The water isn't fine

One of the most shocking things you can do, at an organizational level, is try to figure out how much cloud usage is already taking place. It's almost certainly more than you thought, and not just by a small amount. Changes are, you're already heavily invested in cloud and didn't know it.

You can blame consumerization if you want but your employees are already using cloud services. It doesn't matter whether it's Dropbox (or Box.net or Sugersync or one of many other file stores) or a Web-based personal email that they are bringing in from home. Or perhaps your marketing department is using a cloud-based survey tool. What about that CRM application? And, of course, your engineers are using a cloud-based backup site and maybe a cloud-based project management tool.

The problem with cloud isn't how to decide when to use it. The problem is how to measure how much you're already using.

Cloud computing has a way of seeping into the infrastructure of your business, driven by the ubiquity and utility of the model. People bring cloud with them into the office, whether they realize it or not. It's not surprising: more and more consumer services are being delivered by the cloud, and the blurring between business and consumer IT has reached the point where even the most intransigent luddite (like me) is forced to amid that there really isn't any dividing line any more.

Think about it, when's the last time you updated your PC -- or anything for that matter -- with an actual disc?

It's interesting that, in fact, so much effort is being sunk into re-drawing those lines: iPhone apps that attempt to quarantine the corporate world and its data, filters for websites, blocks for personal storage devices. I'm reminded of those noble, but often futile efforts, to build sandbagged walls against rising floods. No matter how quickly the bags are piled, the water just keeps seeping in, undercutting the foundations of the defenses.

Businesses are going to have to face facts soon. Their employees, their data, and their systems are moving out into the cloud faster, and in greater numbers, than ever. That doesn't mean that they have to abandon all hope and simply give up on security, but it does mean that erecting barricades and hoping that they can keep the cloud out is no longer a sustainable strategy.

Apple's recent iCloud announcement (due to go live this fall) will only hasten the process of cloud infiltration as users start to more easily move iPhone apps and data up and down to a third-party cloud whether you want them to or not.

New models are needed

Models that can be flexible enough to embrace cloud where it exists, without relying on the futile hope of keeping everything safely within the network perimeter. Models that can be decentralized, where risk is devolved to the operating unit, and where the central security function is to advise and audit, not to try to hold back the rising waters. Security is going to be democratized and decentralized because the infrastructure is going to be that way. If there is a center it will be around the data itself, not the systems or the method of delivery nor the device it is accessed through.

The question you must ask yourself, then, is not how will you manage your move out into the cloud, but rather how will you manage the cloud's move into your business.

Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others.

Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.