I often get asked by customers how I see the cloud in todayâ€™s environment. Honestly, I do not see it differently than I did an year ago.
If I look at security in general, I see three challenges, which shape my mind:
- Most investments go towards protecting the infrastructure, whereas most attacks are successful on the application layer. The reason for this is fairly simple from my point if view: At the beginning of â€œsecurity for ITâ€, we were protecting the infrastructure, mainly the mainframe. Therefore protecting the infrastructure is our roots, our heritage, where we came from.
- Rarely security is aligned with the business needs. Typically security is run as a â€œpoliceâ€ function â€“ not as an enabler. I am convinced that the collaboration between the business and security can be improved if their goals get aligned: Enable the business in a secure and safe way. Besides the natural supervision tasks, which come with the job, security needs to play a consulting role to support new business ideas or â€“ even better â€“ lay their foundation pro-actively upfront.
- Security is done policy-centric and not data-centric. What is it, what we really want to do with security? Well, protect the data or even better the information. If we start to turn our focus more towards the data, we all of a sudden will realize that the infrastructure might lose some importance as the transport layer gets less important (because the data â€œprotects itselfâ€) as is the location, where the data resides.
What does now imply for the cloud? A lot.
If you start with the third point: A well-defined and simple data classification scheme is needed and the data then needs to be protected accordingly. I have rarely seen a classification scheme with more than 3 (max. 4) levels working. The user needs to understand it. If you ask HR whether their data is sensitive they will immediately confirm this. But if your have 6 levels (I have seen such policies, even with sub-levels within the levels) it will be incredibly hard for the user to understand whether they have to assign level 4 or 5 or 6 â€“ and does it really make a difference? Really?
The second point is cost. The business today is under tremendous cost pressure and they need a fast, flexible IT, which delivers. Why is Dropbox so popular? Because it solves the simple business problem of transferring huge files from one user to another. I have not seen too many IT organizations, which offer a similarly slim solution to this problem to their user within reasonable time. But letâ€™s not talk about the impact on our security landscape if confidential data ends up on Dropbox Why do users sync their notes through Evernote or OneNote and Skydrive? Because they have a legitimate business reason and internal IT fails to deliver. It is not because the user is mean or wants to violate a policy but because they have a business need (and did probably not think too much of the data classification, which is too cumbersome).
Finally the protection of the infrastructure vs. application: This has probably the least to do with the cloud as such but I guess that most cloud providers will have strong processes about how to develop secure software like the Security Development Lifecycle.
For you the implications are straight-forward: Think data-centric and make sure your data classification does not only exist on paper but is implemented in a user friendly (and data-centric) way. This will lead you naturally to the need of a two- to three-level approach to the Cloud: There is data you will easily be willing to move to a public cloud like your website, your Twitter feed, your Facebook feed etc. There is data, which you will never move to the cloud (like the keys to the bomb), which you will keep on premise highly guarded (data-centric ). And there is everything in between. The â€œin-betweenâ€ part might well be the most difficult one. This can be moved e.g. to a National Cloud, to a community operated cloud or whatever you prefer â€“ depending on what your risk assessment delivered when it comes to the need of keeping your data close to a given location (e.g. within country). You need to look for solutions, which allow you to move forward and back between the different models â€“ something which is not too easy to achieve today but there are great examples of this approach like all the different implementations of Exchange and the ability to move mailboxes between them.
I am convinced that the Cloud is an important part of any businessâ€™s architecture. However, these architectures as well as our approach to the cloud is in the process of maturing. The initial wave of excitement is over and people start to look at it from a more pragmatic point of view. What business problem does it solve? How can this be approached? What are architectures, which actually address these needs?
Together with a friend of mine, I published a paper in the stone-ages of the Cloud (say in 2010) calledand it seems that we pretty much hit it home there as one of the conclusions was that the only way to go for the cloud is in a hybrid model.
- Dropbox Cloud Storage Platform Hacked? Not So Fast (eweek.com)
- A Guide to Public, Private and Hybrid Clouds (intechnology.co.uk)
- Taking a reality check on Cloud security (intechnology.co.uk)
- Risk assessment key to cloud adoption, says Isaca (computerweekly.com)