Chris Weitz, a director at Deloitte Consulting LLP, is charged with leading the financial services consulting company's team for advisory services in cloud computing. He's been in this role for five years, and previously held a global consulting position with Deloitte for nine years. Overall, he's been in the IT business for a little over 30 years.
Thus, cloud computing is hardly the first seismic shift in IT that Weitz has seen. And when it comes to cloud security and data privacy -- identified by 49% of the more than 950 people polled recently by Deloitte at its Dbrief event as the most challenging aspect of implementing a hybrid cloud environment -- he says the major cloud providers are better at it than most people think.
Of the 950 people polled by Deloitte, 36% listed privacy protection as their top concern. Why do you think that is?
Chris Weitz: Privacy protection is clearly a big concern for people because there are laws in different jurisdictions that govern the use of information, and there are serious consequences if [it's] not protected properly. In Europe there's more focus on that with EU [European Union] laws about personal information and personal privacy, which are stricter than other places in the world. The U.S. is not as strict, but there are still definitely regulations and laws that govern the use of information, particularly medical information and personal financial information. So, anybody who is charged with controlling that has to pay particular attention to how they're going to manage that, especially if the data moves out of the span of their physical control.
One huge problem, of course, is that data is not physically stored in any one computer in a cloud computing environment, it's spread across thousands of them, so there's no one physical place to check. It's all done by software, and software by definition is not directly observable, so you need other software to observe that software. Those new software monitoring tools are not quite widely adopted yet -- it's definitely an emerging field. So, people are hesitant naturally to do things without being properly comfortable with the level at which they can confirm the physical location or the security controls around their data and be able to … make sure their data is where it's supposed to be, and not falling into the wrong hands.
So, what does the future hold in terms of dealing with this issue?
Weitz: The emerging answers are that data will be secured at the content level itself -- in other words, it doesn't matter where it goes because it's encrypted.
There will also be a lot of emphasis put on access and credentials for users based on data characteristics and permissions. Security will not just be based on whether you can access an environment or not, it'll be based on your credentials as a user and what you're allowed to see, and the software has to be much more sophisticated in these cloud environments to be able to manage that.
There is an ongoing evolution under way to make it more and more safe. I think the cloud vendors are doing a very good job right now -- I don't think anyone can accuse them of presenting new security risks -- but enterprise users are playing a bit of catch-up in terms of understanding how these security and privacy mechanisms work.
Twenty-four percent listed cyberthreat security. What's the state of the art there today?
Weitz: The main concern that people have in enterprises now is if your systems are being operated by a third party -- especially a massively well-trafficked third party, such as a major cloud provider -- there can be a potential for bad actors potentially accessing your information or hacking into your systems. That's always been true, but the concern is more front-of-mind right now because these systems are so very public in terms of their visibility and their brand.
But in fact, I'd rather have them be fewer and bigger, because you can concentrate your resources on fewer attack points. Cloud computing companies are very, very incented to have the world's best security, because their entire business depends on it … there's every bit of evidence to suggest that the security in cloud companies is better than any other security in the world, including at any enterprise or corporate organization. They have the ability to hire the world's best talent and throw all the money in the world at it, and they do.
So, is the cloud ready for prime time at this point, security-wise?
Weitz: My personal contention is that this will fade back into the shadows rapidly because it will not take more than a few years for the leading vendors to lock this down … this is an early stage phenomenon, and once the cloud market matures a bit more, I think this will settle down into a reasonable state of maturity, like every other generation before it.
There's absolutely nothing intrinsically dangerous about cloud computing. Nothing at all. It's just that it's new.
How do you advise customers who have cloud security worries? What are some good rules of thumb?
Weitz: All of the classic security and privacy advice still holds. The key in this situation, as with any new technology, is [that] you have to understand what's different but you also have to keep in mind what's the same. You can never outsource accountability.
Whenever there's a change in the industry, or a new generation of architectures are being used, you have to do another round of due diligence to make sure that your vendors are doing the right thing and that you're using the right up-to-date methods for confirming their capabilities. You can't use old methods on new architectures, and you can't assume a vendor is going to do something without checking. This is like an upgrade or refresh: You have to test.