Neil MacDonald wants you to stop worrying and love cloud service providers.
This Gartner Fellow is putting in a tall order. Look at any survey of CIOs and IT professionals regarding cloud computing, from its buzzy emergence up until, oh, this morning, and you’ll find that cloud security concerns sometimes outweigh all other cloud concerns combined.
For one, in a recent CompTIA survey of 500 IT and business professionals and 400 IT firms in the United States, 65% of respondents said that security is the area of cloud computing most in need of clarity.
To these folks, MacDonald says, Get a grip — or better yet, let go.
The big cloud service providers think differently about information security — and that’s a good thing, MacDonald told a virtual audience of CIOs and other IT folks during a recent Gartner webinar on cloud security. When it comes to information security, anything you can do, cloud can do better. Or soon will, he said. How exactly are cloud service providers better than you at information security? According to him, here are the new and improved ways big-name cloud service providers like Google, Microsoft and Salesforce.com think about security:
- They assume machines will fail, so they focus on resilience. “That’s their focus, it’s a delivery of an outcome independent of failure of the individual elements,” MacDonald said. “And that is quite a change in mind-set from traditional IT operations and IT security, where we try not to have any breaches or any failures.”
- Their security is baked in, not tacked on. Be it the shift from mainframe to distributed computing or from PCs to networks, security has always been an afterthought on the part of the provider and the user — until now.
- They have shifted to software-based, automated security controls. Most security issues can be traced back to human error, but automation eliminates the possibility while freeing up security professionals to focus on “the higher priority” of creating security policy.
- They take more responsibility than many of your other vendors for delivering outcomes. If you’ve never looked at the end-user licensing agreement for, say, Microsoft Exchange, here’s the short version: Install at your own risk; it might work, it might not. The online service-level agreement looks a little different: It promises 99% uptime or you get a 25% credit.
- They force users to think about outcomes. Fixating on “the bottom of the stack” — hardware, networks — is more about the illusion of control than real security. The focus should be on the top of the stack.
- Their offerings tear down IT silos. Network, storage, server and desktop can organize around security, retaining each group’s skill sets and enhancing agility.
- They employ better people and deploy higher quality controls. Does your on-site data center have palm readers or retina scanners at its entrances? Didn’t think so.
- They embrace change. Most IT folks hate change, especially in the form of patches and updates. Cloud service providers embrace it.
- They view security as an adaptive service. Rather than a set of silo products, it is delivered as an on-demand set of services.
The thing is, though, not every cloud service provider is Google or Microsoft. Not every data center is going to be built on its own island. It’s vital to ask probing questions and create a strong RFI or RFP. Chief among your inquiries, MacDonald suggested, should be not just how your data is protected and how it is segmented between fellow cloud-dwellers, but also who has access to it. (Will you trust your cloud administrator?) A lot of innovation is happening with data encryption in the cloud, he said, that might allow you to hold the keys to your information instead of an unknown admin. Don’t be satisfied with answers alone; ask to see the evidence. And while they probably won’t tell you, it wouldn’t hurt to ask, “Where is that island, exactly?”
Being that this was an online chat, there was no way to gauge audience reaction, so I’m wondering what you think. Does the idea that cloud service providers are approaching security in a different way change your thoughts about cloud computing? I’d like to hear your thoughts.
Let us know what you think about this blog post; email Karen Goulart, Features Writer.