There has been considerable hype surrounding cloud computing — and for a good reason. It truly has the potential to change enterprise IT. Just as most people find flying on commercial airlines more efficient and practical than owning and operating their jets, provisioning IT capabilities from the cloud provides many organizations with a more efficient, convenient and flexible alternative to owning and running their private networks, servers and software. have already shifted some of their IT and business functions to the cloud.
They may be running sales force and customer relationship management applications as cloud services, or they’ve outsourced payroll and other sensitive enterprise functions to specialists running software as a service in the cloud. It seems that companies with reservations about cloud computing oftentimes are less concerned about the technology or physical differences and more concerned about the procedural and policy differences.
Some information security leaders might find it reassuring to know that information security in the cloud doesn’t deviate dramatically from ensuring information security in traditional enterprise IT infrastructures. The same requirements, threats, policies and controls, as well as governance and compliance issues, carry over. Today’s information security practices and tools can also be inventively reused. There are, however, a few adaptations to how time-tested security practices and tools are applied given the inherent differences in how cloud resources can be shared, divided, controlled and managed.
First and foremost, the cloud presents those of us in information technology and security a once-in-acareer opportunity to make information security better: faster, cheaper, more efficient and less intrusive.
Because cloud platforms are still developing, we have unprecedented opportunities to embed information security processes and technologies deeper into the infrastructure. Information security can finally break out of the legacy paradigm of bolting security code onto operating systems, networks and applications as a reactive measure or afterthought. In the cloud, security protocols can be built into the virtualization layer, creating stronger, simpler and more unified information security systems. As virtual machines move across clouds to perform their functions, they take their policies and protection with them. Cloud security has vast potential to surpass the levels of information security that are possible
Finally, the cloud forces organizations to reexamine their methods for evaluating IT solutions providers and to revise their models for establishing trust and consequences. Because parts of their IT infrastructure will now be owned and operated by third-parties, security leaders must be able to ensure those vendors are adequately able to secure not just the physical infrastructure, but also the virtual
one. Organizations must have the ability to safeguard proprietary information on virtual servers and storage while giving cloud administrators the access and privileges needed to do their jobs.
Organizations must also have transparency into cloud providers’ performance against agreed-upon security and business protocols. Specifically, organizations should clearly acknowledge that they can retain control over IT policies and assets, even if they don’t own or directly operate those assets.
By retaining control over policy-setting, the attendant risks of operating in the cloud aren’t necessarily higher, they’re just different.