Despite security concerns, the mass migration of IT services to the cloud will be an inevitable macro-trend. The value proposition is just too compelling: cloud computing is evolving into a utility. (See WGroup strategy brief “Cloud Computing: A Practical Guide to Utilize Cloud in the Era of Asset-Light IT.”)
If anything, the recent Edward Snowden saga only goes to show that regardless of tools, technology, policies and procedures, your security measures can only be as good as the people you employ to follow or enforce them.
So what message does that translate into for enterprises already worrying about security in the cloud? Observations:
- Private clouds are not necessarily more secure then public clouds (i.e Amazon). Private clouds are only as secure as the people and processes supporting them.
- A common approach to improving security is to virtualize security controls, but that in turn adds another layer of abstraction to a key component of the overall cloud environment. More abstraction means less visibility. Thus the underlying trust relationship with the provider is key.
- Now that cloud providers have become responsible for much of the security apparatus, the cloud customers should take it upon themselves to check the qualifications of the cloud providers’ security personnel – their architects, coders, operators and policy makers. The practice of “trust but verify” should apply both to the vendor’s people as well as their processes and technologies.
- A key subset of the vendor’s personnel that demand scrutiny for security reasons are those with administrative access to the customer’s assets. Cloud has introduced this new tier of privileged users whose oversight and even hiring should be monitored as if they were in-house personnel.
- Another common approach to enhancing security is to ask the cloud provider to contribute more to security monitoring processes and making SIEM (Security Information and Event Management) data more available. But that still means the customer should inquire about the provider’s handling of the logging and execution of their monitoring processes.
- At the very front end of the provisioning process, risk prevention means careful screening of workloads before deciding whether they are appropriate for migration to the cloud (mission-critical or sensitive data workloads demand more isolation.) But isolation can never substitute for people’s compliance. So it still boils down to the people.
- Finally, self-provisioning means governance and training are critical before the end users are empowered and set loose to decide for themselves or to gain access to the cloud.
While technology is a very important component, managing the people component is just as, if not more, vital to security.