Cloud Computing and Security: Is your forecast sunny or cloudy?

Ever since Cloud computing came along, many business and IT management-types have wrestled with feelings of insecurity:  Are we secure?  How do we know?  How do we measure?

That depends in large measure on the vendors who are managing your status in the Cloud, and their implementation of and adherence to best practices, as well as their adoption of prudent new practices as those come along and evolve. 

Our feelings of security, and our success in the security realm, also depends on our understanding of just what the Cloud represents, and the degree of reliance we place on any particular piece of the Cloud.

We can focus on some basic security considerations here, and I think this audience knows what Cloud computing is.  However, we can briefly consider Cloud computing to be:  1)  Platform as a Service (PaaS); 2)  Infrastructure as a Service (IaaS); and 3)  Software as a Service (SaaS). 

There are distinct business advantages in shifting the burden for capital expenditures and associated maintenance to an outside entity – to include a reduced burden for number of staff, and the “inside” need to maintain that staff’s currency for changing and evolving environments.  Of course, reductions of staff are not necessarily good for IT department members (and certain allied business staff), but we must acknowledge what the business edge is going to consider.

The chief concern for any organization, and therefore any IT senior staff who may be considering general recommendations or specific responses to business questions, is that whenever control of anything goes outside of your “four walls,” you lose a large measure of control.  We all rely on outside providers and the overall infrastructure of the internet, but as one example:  A server in your server room, under the watch of your own internal staff, is not the same as an amorphous server “in the Cloud” – no matter how trusted and/or large the vendor, no matter how solid their reputation.  True, for outside elements, you can bear down on providers, you can make contracts as tight as you can possibly make them.  But, on the day you experience equipment failure, data loss, data breach, etc. – and a resultant loss of your own ability to deliver service, content, access… to your customers, members, constituents, staff – none of your “remote” oversight much matters in that moment.

Nothing beats internal security (if you’re doing things right).  You can readily survey and adapt security for inside elements – you’re in direct control, in any direct moment.  Also, you directly access and manage the personnel who manage security and the aforementioned platform(s), infrastructure, and software.  You can assess any breach potentials and make corrections of course on your terms, on immediate terms, on as strict of terms as you like.  You can establish your regularized schedules of oversight.  Cloud elements require trust, and a relinquish of control.

On the other hand, it has been argued that Cloud providers have a natural incentive to mount trust, and to brand Cloud computing with security.  No doubt – but any provider has the incentive for providing reliability as a matter of securing reputation and staying in business.

Remember this:

     In the realm of risk, unmanaged possibilities become probabilities…

“Risk” is the operative word here:  You must actively manage against the possibility of security breaches, or episodes of inoperability, for anything the Cloud is delivering to you, for you, or operating on your behalf.  Most data and security breaches are due to human error – and “outages” are security breaches in my mind.  If you have an outage of any sort, your business or any particular element can hardly be called “secure.”  Therefore, awareness and common sense are key in bringing best practices and wholly new practices in the realm of insuring your piece of the Cloud.

If you’re in the Cloud or taking any element, or additional elements, to the Cloud – it might do to have a regularized security meeting with the allied vendors.  Make the schedule to be whatever suits you:  Annually, semi-annually, quarterly…  insist that your vendors make a presentation to you for where security measures stand, how they’ve evolved from the last meeting (improvements), and what the projections are for the future and what can be expected as reportage at the next meeting.  Continue this cycle in perpetuity.

What imaginative, evolving, practices are you bringing to your extended environment in terms of vendor accountability?  Is your Cloud security forecast sunny… or cloudy?