We often hear the analogy of cloud computing as a utility: just as a company consumes its water or electricity on-demand, paying only for what it uses, so with cloud computing a company pays its cloud provider according to the computing resources it consumes. Companies reduce their capital expenditure as they no longer need to commit time and capital to the acquisition and day-to-day running of IT systems. The snag is that this model only works when the consumers share a common service and therefore the infrastructure that supports that service. That makes perfect sense when we think about the electricity grid or a fleet of taxis standing in a taxi rank – another analogy of a shared service.
However, this perception of cloud computing as a utility can be misleading, particularly when applied to information security. While the cloud might be commoditizing certain IT applications and platforms, its impact on information security and more specifically data protection is not so simple. In a world of privacy concerns and more recently privacy legislation, data protection is always contextual. Different sorts of data has different value, is exposed to different users and is threatened by different risks – the data protection needs of every organization are different, and it’s hard to see them being fully addressed by commoditized security services.
Cloud computing, unlike the electricity grid (or taxis for that matter), isn’t just about consumption, in this case, the consumption of IT services. Cloud computing relies upon the sharing of data and that means moving data into a shared environment. Whenever data leaves the contained environment of an enterprise network, it is inevitable that some control will be relinquished.
Under the traditional approach, the enterprise has near complete control of its IT infrastructure – data, applications, servers, virtual machines, storage and maybe even the network itself. With cloud computing, the enterprise consciously wants to relieve itself of the hassle of at least some of its IT infrastructure. In fact, there’s a strong argument that the organization actually increases security by doing so. By picking the right cloud provider, there’s a good chance they are better placed to manage the security of that infrastructure – patch management, intrusion detection, firewalls etc. – than the enterprise is. But don’t confuse infrastructure security with data security – one is a commodity, one is contextual – and the risk here is that organizations could end up throwing the data protection baby out with the IT security bathwater in the race to adopt the cloud.
Of course lots of organizations have already moved their least sensitive applications to the cloud – there are even those that argue that most of the low hanging fruit has already been picked. But, not surprisingly, many organizations have been reluctant to entrust their most sensitive data to the cloud and confidential or regulated customer data would raise the stakes even higher. But the status quo seems to be changing, and perhaps not for the best. In a recently released report ‘Encryption in the Cloud’ (based on a survey of over 4,000 business and IT managers in seven countries), almost exactly half of respondents said their organization already transfers sensitive or confidential data to the cloud, with only 19 percent stating they had no plans to do so. Worse still, 44 percent said that they were aware it was weakening their security posture. It seems the economic benefits of the cloud are just too tempting to ignore.
This is no longer an issue that can be quietly ignored and in a series of upcoming feature articles here I will cover retaining control in the cloud, discuss what organizations and cloud providers need to do to ensure a safe working environment in the cloud, as well as how the key technology of encryption can help protect enterprise data.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, Jan 29- Feb. 1 in Miami, Florida. Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.