Can a Cloud Environment Help Improve an I.T. Security Strategy?
July 28, 2015 § Leave a comment
Security remains one of the most common topics mentioned anytime a cloud strategy (especially managed off-site) is proposed. Each day the risks of leaking data which can become potentially harmful information in the wrong hands grows and organizations must be careful when deciding how to approach data security (the phrase “can’t outsource risk” comes to mind here). Unfortunately, because of this risk, there still seems to be some hesitancy to even consider cloud based environments.
Ultimately the answer in situations like this is very unique and depends on the organization’s security processes, but it should be known that cloud environments can aid in maintaining, if not exceeding, security practices.
In no particular order, here’s a brief list of how cloud environments can help with these discussions:
- Economies of Scale in Security- This may apply more to managed cloud service providers or SaaS providers, but is worth mentioning regardless. Cloud service providers (CSP) will often, but not always, have greater resources and expertise to dedicate to ensuring that their environments remain secure. This means that they are likely to not only design a secure environment to begin with, but also maintain this security as new threats and vulnerabilities are discovered. Security needs to become a core competency to a CSP because their customers are relying on them, and if they cannot get it right, they will quickly become obsolete. As an example, consider IBM’s X-Force Security Research and Development team which, among other things, conducts thousands of hours of research to “power preemptive protection delivered by IBM products.” This doesn’t mean that organizations cannot exceed these standards in house, but for most organizations, they simply do not maintain today’s changing security landscape among their core competencies. Finally, economies of scale can be used when obtaining certain certifications or accreditations which may be otherwise difficult to attain for individual organizations.
*See http://www-03.ibm.com/security/xforce/ for more information about IBM X-Force.
- Architectural Flexibility- Appropriate in all types of cloud discussions, by shifting the core operational needs offsite, organizations are free to design the environment of their dreams, including security requirements, without worrying about on-site constraints. For example, an organization can certainly encrypt their data and split it in a manner that makes it difficult for simply one file to be useful if obtained (i.e. data is encrypted and split into 2 blocks, even if decrypted, the information is only partial), but they may not be able to split it across multiple sites. With a cloud environment, their data could be split and located in different, geographically separate sites; this is beneficial if one site is compromised since the other site maintains the rest of the data. Another example is installing and managing specialized security appliances which may be otherwise prohibitive on site due to space and expertise shortages.
- Security Intangibles*- For a lack of a better category title, there are certain benefits provided by using a managed cloud off site either by a CSP or internal third party. By this I mean parties not associated with an on-site environment may often be in a better place to manage security risks especially in the case of business continuity. As an example, if a natural disaster were to strike a primary datacenter, employees on-site may be under obvious emotional duress which is better handled by someone not in the same vicinity. While a good cloud strategy focuses on automating processes such as this, it is an added risk to count on manual intervention in times of stress. In this case, moving the burden to a third party mitigates some risk. Invoking fear, uncertainty, and doubt is not an intention here, but it should be addressed by a comprehensive security policy (which may or may not include cloud).
As mentioned in the second paragraph, there is no single answer to guarantee a flawless security strategy, but cloud-based answers should not be disregarded. There are unique benefits that off site or CSP managed environments provide which can help mitigate certain types of risk when used as part of a greater solution set.
As more organizations adopt and get used to cloud, I’m hopeful that posts like this will become less relevant!