Pity the security practitioner. After each new technology is released, we hold out hope that it will finally make our jobs easier, that the promise of seamless and fully integrated security will finally be realized. However, our hopes are quickly dashed as bug reports pile up and end customers seek to one-up the product vendors in their efforts to obliterate any semblance of security during the implementation stage. That places us in the familiar role of corporate nannies that advise our wards to take their vitamins and, for heavens sake, don’t even think about having any fun.
As the industry begins to embrace the concept of cloud computing, security professionals may be reflexively pulling out of our whips and chains to deliver the first lashings to those presumably misguided souls seeking to thrust the company’s most sensitive data into some virtual grab bag in the sky. The reality is that cloud computing offers tremendous opportunities to companies awash in data with little ability to even find what they’re looking for, let alone manage or secure it. Cloud computing can offer standardization and consistency, traits that are part of a sound security practice as long as the standards have been vetted by qualified security professionals and consistent in a good way. But before we break out the champagne, it’s important to understand whether we can deliver and what it will take to get there.
The trade press has simultaneously dubbed cloud computing as both the game changing phenomenon that will revolutionize computing and a rehash of a bunch of old technologies, some going back more than thirty years to the days of time sharing and batch computing, that have been cobbled together and marketed as innovation. The reality is that it’s a little of both. In essence, cloud computing is a business model. Whether it’s offered by Amazon’s Elastic Compute Cloud or done in-house as a sort of private cloud offered by the IT department, it is designed to commoditize and sell by the drink a variety of computing functions including storage, processing time, software applications, network bandwidth, and other services. Existing options like software-as-a-Service (SaaS), virtualization, and utility computing are routinely repurposed and leveraged to form a cloud.
The question then remains why security professionals should be optimistic. The reason is that the business model for cloud computing requires business functions and their respective technological representations to be discretely defined and associated with a particular cloud computing service. If implemented correctly, it tends to eschew the notion of a just being an all purpose storage repository for miscellaneous stuff. It forces users to think about what business function they want performed and what data will be involved. And because it is being outsourced, business managers are more likely to be directly involved in those decisions because it is harder to assume that a cloud provider will know what they want, an assumption that is frequently and inappropriately placed on an organization’s IT department.
In essence cloud computing offers organizations a framework for defining a data governance model that incorporates notions of both risk and compliance. Through it, we can decide when the risks associated with cloud computing can be justified based on the data and business processes involved. If compliance requirements dictate where data is stored or how it is protected, we can select the cloud service that meets those requirements. Ultimately it offers a well-defined way to marry security requirements with service offerings, something IT departments have been loathe to do for fear that talking about service levels with respect to security would be viewed with the same level of trepidation as a brain surgeon who offers silver, gold, and platinum packages to his patients.
So once again we stand at the precipice waiting to see how the market will shake out. As security professionals, there is a lot to be hopeful about as we batten down the hatches and keep those whips and chains handy.
No comments:
Post a Comment