Public clouds make enterprise IT uneasy. For one thing, it’s a disruptive technology -- a significant shift toward compute resources becoming a shared utility. It also creates a lack of visibility and less control over IT assets. Add concerns about data loss and security that BYOD creates and it’s no wonder some cloud rookies are breaking out in hives.
SearchCloudComputing.com spoke with Jim Reavis, executive director of the Cloud Security Alliance (CSA), about the true security concerns of public and private cloud as well as common misconceptions that are keeping enterprises from diving headlong into cloud.
Security concerns are often listed as a main reason why enterprises are leery of the cloud. What are the real security risks of public and private clouds?
Jim Reavis: Anytime you move to a new technology platform, there are a lot of concerns about the consequences of that change. With public cloud, we’re talking about a significant change of compute moving toward becoming this shared utility. There’s this lack of visibility from the customer perspective -- businesses and enterprises -- not having control over the IT assets any longer. Not having visibility creates concerns about the unknown. From everything I’ve seen, cloud tends to be a security upgrade for small and medium enterprise because the providers are able to actually invest in security practices. And small businesses are often doing very minimal, outdated, inappropriate actions. That’s why small businesses are flocking to the cloud. They realize it’s actually an upgrade to their general IT.
What about larger enterprises? What are the main security concerns there?
Reavis: The issues really are the security requirements for large businesses -- compliance and regulatory issues -- that [are moving] at a pace with advances in cloud. And we need to have this brokered agreement and communication between providers and customers to assure we understand the security requirements and can communicate what we are fulfilling them. Over time, [enterprises] have evolved to fairly sophisticated, multi-tiered defenses. Getting cloud providers that are trying to make their services broadly available to duplicate those requirements is a work in progress. The bigger you are, the more sophisticated requirements you have. And you may have some challenges getting all of those requirements met when you don’t have complete control over all the resources.
Do all of these issues still carry over into private cloud?
Cloud tends to be a security upgrade for small and medium enterprise because the providers are able to actually invest in security practices.
Reavis: If you define private cloud by the full definition and are actually trying to provide this very elastic compute in a fairly large-scale environment, you have a lot of the same concerns. Take for example a large financial institution that has to have a lot of internal segmentation, maybe analysts and traders -- you have to actually provide a lot of those controls. It’s not as big of a concern in private cloud because of visibility issues, but you are trying to cordon off [portions of the environment] so they’re not broadly accessible. The bigger a private cloud gets, the more it starts to look like a public cloud, so they share a lot of the same concerns.
What are some of the biggest misconceptions enterprise IT has about cloud security?
Reavis: Enterprises are going to be more of the consumers of the cloud and are going to be migrating a lot more of their systems. Some cloud misconceptions are frankly from a lack of education of resources out there. I’ve had discussions with CIOs who were in denial they were even in the cloud; it turns out they were using a wide variety of SaaS [Software as a Service] apps. There’s also some perception gap in what providers might be able to do if you work with them, instead of taking a cursory look at their standard SLAs. [Enterprises] don’t realize there’s actually more they can ask for and they can work with systems integrators or partners to enhance a stock cloud service. From a provider’s perspective, there’s a lack of understanding of the requirements large customers have from a standards perspective.
Do you find enterprises don’t realize they have the ability to broker with a cloud provider?
Reavis: I think it’s a combination of not understanding there can be wiggle room, flexibility and negotiations on a contract layer. There can be enhancements from an architecture perspective that enterprises can do themselves in conjunction with third-party or aftermarket services. There’s also a lack of understanding of assessment tools, which CSA has made available. Cloud customers might say there’s not a standard, but you can ask if providers comply with certain objectives. I think people say there are no tools available to assess compliance and use that as justification for not addressing the needs of the business with a cloud environment. That strategy is bound to fail.
CSA recently formed the Mobile Working Group. Can you tell me what additional security concerns there are with BYOD and cloud?
The only way you can keep pace with the cloud is with cloud services.
Reavis: It’s helpful to look at both mobile and cloud as similar consequences of consumerization. On one side, consumerization creates this commodity for IT systems such as cloud and it also creates very powerful endpoints -- mobile devices -- that consumers buy on their own. These things together create a shadow IT, where individuals or business units procure their own backend IT systems. That raises a lot of governance questions. When we started the mobile IT division, we were thinking about data governance issues and how they impact where information is stored. People will be using app stores on these devices, and whether they are corporate or bring your own, app store security is also a concern. We can’t ignore mobile from a cloud perspective because it’s going to be the primary way users will access, leverage and interface with the cloud. We’ve got to take a look at those issues for device management or coexistence of business and personal use of a common device.
Is the Security as a Service the best way to protect BYOD?
Reavis: You are going to see more security capabilities move to the cloud. Companies will focus more on locking down the devices and be looking at how to encrypt information, use it for authentication and disable the device remotely. A lot of the fast-moving threats are better handled through the network. It provides a higher level of security and a more agile way to support an organization that’s adopting new technologies. The only way you can keep pace with the cloud is with cloud services.