Posted by: David Scott
business continuity, Cloud Computing, cloud security, IT security
With the advent of Cloud Computing – that is, Internet-based computing – many are asking, “Is it secure?”
That, of course, depends on who is managing your status in the cloud and their adherence to best practices and prudent new practices. It also depends on your understanding of just what the cloud represents, and the degree of reliance you place on your piece of the cloud.
We’re going to focus on a couple basic security considerations here, and without being too assumptive, I believe this audience knows what cloud computing is. However, and briefly, we can consider cloud computing to be: 1) Platform as a Service (PaaS); 2) Infrastructure as a Service (IaaS); and 3) Software as a Service (SaaS). The business advantages in shifting the burden for capital expenditures and associated maintenance to an outside entity are many – to include a reduced burden for number of staff, and the “inside” need to maintain that staff’s currency for changing and evolving environments. Reductions of staff are not necessarily good for IT staff (and certain allied business staff), but we must acknowledge what the business edge is going to consider.
The chief concern for any organization, and therefore any IT senior staff who may be considering general recommendations or specific responses to business questions, is that whenever control of anything goes outside of your “four walls,” you lose a large measure of control. We all rely on outside providers, and the overall infrastructure of the ‘net, but as one example: A server in your server room, under the watch of your own internal staff, is not the same as an amorphous server “in the cloud.” True, for outside elements, you can bear down on providers, you can make contracts as tight as you can possibly make them, but on the day you’re not delivering service, content, access… computing – none of your “remote” oversight much matters in the moment.
Nothing beats (or should be able to beat if you’re doing things right) internal security. You can readily survey and adapt security. You directly manage and access the personnel who manage security. You can assess any breach potentials and make corrections of course on your terms, on immediate terms, on as strict of terms as you like.
On the other hand, it has been argued that cloud providers have a natural incentive to mount trust, and to brand cloud computing with security. No doubt – but any provider has that incentive.
As we’re fond of saying in The Weave:
In the realm of risk, unmanaged possibilities become probabilities…
“Risk” is the operative word here: You must actively manage against the possibility of security breaches, or episodes of inoperability, or anything the cloud is delivering to you, for you, or operating on your behalf. Most data and security breaches are due to human error – and “outages” are security breaches in my mind. If you have an outage of any sort, your business or particular element can hardly be called “secure.” Therefore, awareness and common sense are key in backing up best practices and wholly new practices in the realm of insuring your piece of the cloud.
If you’re in the cloud or going to the cloud, what imaginative, evolving, practices are you bringing to your extended environment? Is your security forecast sunny… or cloudy?