Essential Guide

Enterprise cloud security best practices for locking down your cloud

A comprehensive collection of articles, videos and more, hand-picked by our editors

Cloud computing benefits may trump public cloud security fears

Companies can reap the benefits of cloud, if they develop smart strategies. Two IT advisers explain when public cloud makes sense and when to say no.

Sean McDermott Marc Maiffret

Sean McDermott

Marc Maiffret

Public Cloud: Game changer or security gamble?

52% 48%

Sean McDermott: Public cloud services may offer certain enterprises a better alternative to on-premises data center...

infrastructures, if those enterprises choose the right cloud platform from Day 1.

I have spent over 20 years helping hundreds of global clients manage their IT environments. I literally live in this space and as you can imagine, spend a lot of time talking about cloud. Massive investments are going into cloud infrastructure, but is it really the way to go? Absolutely. Cloud is not only vital to IT for a number of reasons, it’s a game changer.

The days of IT dictating to the end user what tools to use or what the type of mobile devices can be on the network is a thing of the past. End users now drive IT and push companies beyond their infrastructures’ capabilities. This requires companies to move to a technology that is scalable and available immediately at the request of the end user.

Evolving business models, advancements in technology and constantly changing workforces drive businesses of all sizes to challenge their IT departments to do more with less. That is where cloud comes in.

Cloud allows businesses to improve agility, reduce costs and reduce time to revenue. To put it simply: The time previously spent in “fire-fighting mode” can be replaced with time devoted to innovation.

With cloud, companies’ IT applications and infrastructure are available at all times, everywhere. By orchestrating the tasks used to create, configure and provision, service delivery initiatives are supported and enhanced like never before. Maximum cost benefits are realized through scalability, which helps companies support sudden increases in demand while avoiding underutilized IT capacity during slow periods.  Cost savings are also gained in several other areas, including IT equipment, labor and data center real estate -- not to mention power and cooling savings.

Automation, an organic component of all cloud platforms, provides the opportunity to tailor any cloud to meet an organization’s unique needs. But it’s important to note that cloud computing isn’t simply a switch you turn on. It requires a deliberate and phased approach, with careful attention paid to processes.

Fools rush into cloud without a strategy

Most companies are so eager to jump on the cloud bandwagon they do so without the right vision and planning. In fact, I wonder if most companies looking into cloud can even correctly define cloud. To take it a step further, we’ve come across organizations that have already invested in commercial off-the-shelf cloud products without defining the services they plan to offer in their service catalogs.

Vendors rush to market with cloud-based offerings while at the same time struggling to define their services. How can that be? Businesses are ready to spend massive amounts investing in technologies, yet they are still unclear as to what their best option really is. On top of that, companies forget the cloud needs to be managed.

Organization needs to define “cloud” prior to choosing a product.

To properly manage resources and services in the cloud, companies must implement a strategy that spans culture, organization, behavior and technology. Culture shifts are a huge hurdle for IT organizations. The shift from the technology mindset to service mindset will become imperative to the entire IT organization.  

Encourage change or fail in cloud

Cloud computing demands a deep understanding of business needs coupled with multi-domain expertise that allow companies to design, build and operate highly efficient IT infrastructures that include legacy infrastructures aligned tightly with business priorities.

Existing business behaviors and processes won’t change just because IT infrastructures do. Implementing cloud infrastructures demands a thorough evaluation of the impact on both people and relevant business processes; this seems to be a difficult lesson to learn.

What gets lost is the right service-centric IT strategy that ensures alignment of IT decisions with business priorities. Cloud infrastructures must seamlessly integrate with the existing environment as well as leverage rigorous automation to drive value into the organization.

If you consider some of the benefits of public cloud in terms of scalability, mobility, access, and ease of deployments, it becomes apparent the standard processes that come out of the box are not tailored for all organizations. It’s important to remember the processes are simply guidelines. Companies need to spend time identifying the particular needs of the organization and developing a clear method for each unique end user to yield the best possible results in the cloud.

To fully leverage cloud capabilities, organizations need to make sure there is a solid vision, and with that, I believe cloud’s full potential will exceed IT expectations.

Sean McDermott, CEO of Windward IT Solutions in Washington, D.C., has helped hundreds of clients manage their IT environments over the past 20 years. Before founding Windward IT, McDermott was the founder and CEO of RealOps, Inc., an enterprise management Run Book Automation software company. McDermott has a bachelor’s degree in electrical engineering from Villanova University and a master’s degree in engineering from The Catholic University of America.

Marc MaiffretMarc Maiffret: When it comes to IT security, one size does not fit all. IT pros must spend time and energy to put things into the proper context to make the right decisions, particularly when evaluating whether to keep data on-premises or move to cloud computing.

There is an ongoing debate over whether cloud-based architectures are good or bad. IT teams who argue for cloud believe its business benefits outweigh cloud computing security concerns. Cloud critics believe handing data to a third party with unknown levels of control just won’t work. The truth lies somewhere between the two extremes, and it depends on a variety of factors.

Understanding when it makes sense to move data or systems to the cloud starts with understanding what the cloud actually is. The cloud is not so much a new technology as a new way of managing technology.

The term “cloud” has come to mean everything from a single application normally hosted inside the organization to an application hosted by a third-party on the Internet. In the context of IaaS, cloud can also mean entrusting an entire IT infrastructure to another company.

Application choices matter with public cloud

Each organization will have different considerations when deciding whether to move data or applications to the public cloud. Some of those decisions will depend on where data will reside in the cloud.

From a security perspective, IT pros making decisions need to accurately assess whether the organization can truly secure data or infrastructure better than a potential cloud provider can. This is an important conversation that seems to get lost in the noise and nuanced debates about moving to the cloud.

The reality is moving corporate email systems to the cloud makes a lot of sense for certain cases. For example, smaller organizations often lack the expertise in IT and security to manage Microsoft Exchange. Likewise, when you look at infrastructure providers such as Amazon, Rackspace or Google, it is hard to say a small or even midsized organization will do a better job securing cloud infrastructures.

A one-size-fits-all approach to security might not be tailored enough for the security demands of a large enterprise, or even a smaller organization with specific security requirements.

On the flip side, many large enterprises have advanced security processes, infrastructure and a seasoned security team in place. In these cases, it might make sense to keep certain technologies and infrastructure in-house, where security can be assured and might be stronger than with a cloud vendor.

Cloud providers sometimes offer varying levels of security that small to midsized organization cannot; however, there are also some cloud providers that provide “one-size-fits-all” security. This one-size-fits-all approach to security might not be tailored enough for the security demands of a large enterprise, or even a smaller organization with more specific security requirements.

The bottom line is to do the homework when looking at public cloud providers and understand what levels of security they provide. Then, it’s important to not only ask if the cloud provider’s security is up to par, but if you can do it better.

Marc Maiffret co-founded eEye Digital Security in 1998 and returned to the company in July 2010 as Chief Technology Officer. He is an industry expert in network security and has accepted three separate invitations to testify before the United States Congress on matters of national cybersecurity and critical infrastructure protection. He famously discovered the first Microsoft computer worm, “CodeRed” and was named one of People Magazine’s 30 People Under 30.

Join the conversation – Give us your comments.


This was last published in April 2012



Find more PRO+ content and other member only offers, here.

Essential Guide

Enterprise cloud security best practices for locking down your cloud

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Public cloud: Game changer or security gamble?
There is too much risk in the cloud because there is no security inherent in it. If you are communicating to the cloud using services is that data encrypted with something MORE than SSL/TLS? Most likely the answer is "no." And because of that one, simple fact, I strongly discourage the use of the cloud for any real data storage. Getting the data from point A (your systems) to point B (the data warehouse) is TOO RISKY.
The game has to change - there's no option.
Large organizations with experienced personnel and in house appliacations cannot be replaced by outsourcing or IaaS or SaaS or whatever the marketing name is
Ask anyone who has their IT services in "The Cloud" a simple question... where is your data? Can you physically grab it? In a hurry? Do you have control over its security? Do you have 100% over it? If the answer is I don't really exactly know... No, and No... Which with most "Cloud Solutions"... then you don't have control of your company, your future, or your success. Cloud computing is not a game changer. IT's a Gamble not only with security, but with your success as well.
Appreciate parameters, not perimeters.
It is fantastic services to work anytime, anywhere. It is more secure.
Cloud is most definately a game changer.
Of course there are serious security implications, but if you're smart about how use use the cloud, it's definitely a game changer
Too much time and investment is being wasted in organizations managing their infrastructures. These dollars need to go into helping companies fuel their growth not their IT maintenance budgets. Public cloud offers us the ability as businesses to focus on what we are in business for and less on operational inefficiencies as 99.999% of the business world is NOT in the business of IT Infrastructure maintenance so why are we all doing it?
Since all data is not critical so it could be an option to keep critical data on premise & go for cloud for rest that will reduce IT infra maintenane/developement cost and increase data availibility.
Cloud is a game changer we can figure the security out.
Private cloud is a valid option
Cloud is undoubtedly a game changer..
It wud take some time to get mature enough..
Security gamble.
The mindset that "cloud security is someone else's responsibility" is too pervasive. Until businesses take more responsibility for security their customer's PII, or sensative data, Cloud offerings are a gamble at best..
27% of respondents to the InformationWeek 2012 Cloud Security and Risk Survey say they have no plans to use public cloud services. And 48% of those respondents say their primary reason for not doing so is related to security, including fears of leaks of customer and proprietary data. (
Businesses do not take cloud security seriously. Unless this paradigm shift happens, such that security ownership is accepted by the information owners, cloud security is a security gamble.
From my own research, it has been found that users find flexibility, accessibility and convenience in using the cloud whilst also seeing enhanced security for their data (more than storing locally, at times).

I will be posting my paper on my website as soon as it is submitted. Gives a perspective on the cloud and IT landscape in South Africa-
It is Game Charger