Enterprise cloud security best practices for locking down your cloud
A comprehensive collection of articles, videos and more, hand-picked by our editors
Public Cloud: Game changer or security gamble?
Sean McDermott: Public cloud services may offer certain enterprises a better alternative to on-premises data center infrastructures, if those enterprises choose the right cloud platform from Day 1.
Step 2 of 2:
I have spent over 20 years helping hundreds of global clients manage their IT environments. I literally live in this space and as you can imagine, spend a lot of time talking about cloud. Massive investments are going into cloud infrastructure, but is it really the way to go? Absolutely. Cloud is not only vital to IT for a number of reasons, it’s a game changer.
The days of IT dictating to the end user what tools to use or what the type of mobile devices can be on the network is a thing of the past. End users now drive IT and push companies beyond their infrastructures’ capabilities. This requires companies to move to a technology that is scalable and available immediately at the request of the end user.
Evolving business models, advancements in technology and constantly changing workforces drive businesses of all sizes to challenge their IT departments to do more with less. That is where cloud comes in.
Cloud allows businesses to improve agility, reduce costs and reduce time to revenue. To put it simply: The time previously spent in “fire-fighting mode” can be replaced with time devoted to innovation.
With cloud, companies’ IT applications and infrastructure are available at all times, everywhere. By orchestrating the tasks used to create, configure and provision, service delivery initiatives are supported and enhanced like never before. Maximum cost benefits are realized through scalability, which helps companies support sudden increases in demand while avoiding underutilized IT capacity during slow periods. Cost savings are also gained in several other areas, including IT equipment, labor and data center real estate -- not to mention power and cooling savings.
Automation, an organic component of all cloud platforms, provides the opportunity to tailor any cloud to meet an organization’s unique needs. But it’s important to note that cloud computing isn’t simply a switch you turn on. It requires a deliberate and phased approach, with careful attention paid to processes.
Fools rush into cloud without a strategy
Most companies are so eager to jump on the cloud bandwagon they do so without the right vision and planning. In fact, I wonder if most companies looking into cloud can even correctly define cloud. To take it a step further, we’ve come across organizations that have already invested in commercial off-the-shelf cloud products without defining the services they plan to offer in their service catalogs.
Vendors rush to market with cloud-based offerings while at the same time struggling to define their services. How can that be? Businesses are ready to spend massive amounts investing in technologies, yet they are still unclear as to what their best option really is. On top of that, companies forget the cloud needs to be managed.
Organization needs to define “cloud” prior to choosing a product.
To properly manage resources and services in the cloud, companies must implement a strategy that spans culture, organization, behavior and technology. Culture shifts are a huge hurdle for IT organizations. The shift from the technology mindset to service mindset will become imperative to the entire IT organization.
Encourage change or fail in cloud
Cloud computing demands a deep understanding of business needs coupled with multi-domain expertise that allow companies to design, build and operate highly efficient IT infrastructures that include legacy infrastructures aligned tightly with business priorities.
Existing business behaviors and processes won’t change just because IT infrastructures do. Implementing cloud infrastructures demands a thorough evaluation of the impact on both people and relevant business processes; this seems to be a difficult lesson to learn.
What gets lost is the right service-centric IT strategy that ensures alignment of IT decisions with business priorities. Cloud infrastructures must seamlessly integrate with the existing environment as well as leverage rigorous automation to drive value into the organization.
If you consider some of the benefits of public cloud in terms of scalability, mobility, access, and ease of deployments, it becomes apparent the standard processes that come out of the box are not tailored for all organizations. It’s important to remember the processes are simply guidelines. Companies need to spend time identifying the particular needs of the organization and developing a clear method for each unique end user to yield the best possible results in the cloud.
To fully leverage cloud capabilities, organizations need to make sure there is a solid vision, and with that, I believe cloud’s full potential will exceed IT expectations.
Sean McDermott, CEO of Windward IT Solutions in Washington, D.C., has helped hundreds of clients manage their IT environments over the past 20 years. Before founding Windward IT, McDermott was the founder and CEO of RealOps, Inc., an enterprise management Run Book Automation software company. McDermott has a bachelor’s degree in electrical engineering from Villanova University and a master’s degree in engineering from The Catholic University of America.
Marc Maiffret: When it comes to IT security, one size does not fit all. IT pros must spend time and energy to put things into the proper context to make the right decisions, particularly when evaluating whether to keep data on-premises or move to cloud computing.
There is an ongoing debate over whether cloud-based architectures are good or bad. IT teams who argue for cloud believe its business benefits outweigh cloud computing security concerns. Cloud critics believe handing data to a third party with unknown levels of control just won’t work. The truth lies somewhere between the two extremes, and it depends on a variety of factors.
Understanding when it makes sense to move data or systems to the cloud starts with understanding what the cloud actually is. The cloud is not so much a new technology as a new way of managing technology.
The term “cloud” has come to mean everything from a single application normally hosted inside the organization to an application hosted by a third-party on the Internet. In the context of IaaS, cloud can also mean entrusting an entire IT infrastructure to another company.
Application choices matter with public cloud
Each organization will have different considerations when deciding whether to move data or applications to the public cloud. Some of those decisions will depend on where data will reside in the cloud.
From a security perspective, IT pros making decisions need to accurately assess whether the organization can truly secure data or infrastructure better than a potential cloud provider can. This is an important conversation that seems to get lost in the noise and nuanced debates about moving to the cloud.
The reality is moving corporate email systems to the cloud makes a lot of sense for certain cases. For example, smaller organizations often lack the expertise in IT and security to manage Microsoft Exchange. Likewise, when you look at infrastructure providers such as Amazon, Rackspace or Google, it is hard to say a small or even midsized organization will do a better job securing cloud infrastructures.
On the flip side, many large enterprises have advanced security processes, infrastructure and a seasoned security team in place. In these cases, it might make sense to keep certain technologies and infrastructure in-house, where security can be assured and might be stronger than with a cloud vendor.
Cloud providers sometimes offer varying levels of security that small to midsized organization cannot; however, there are also some cloud providers that provide “one-size-fits-all” security. This one-size-fits-all approach to security might not be tailored enough for the security demands of a large enterprise, or even a smaller organization with more specific security requirements.
The bottom line is to do the homework when looking at public cloud providers and understand what levels of security they provide. Then, it’s important to not only ask if the cloud provider’s security is up to par, but if you can do it better.
Marc Maiffret co-founded eEye Digital Security in 1998 and returned to the company in July 2010 as Chief Technology Officer. He is an industry expert in network security and has accepted three separate invitations to testify before the United States Congress on matters of national cybersecurity and critical infrastructure protection. He famously discovered the first Microsoft computer worm, “CodeRed” and was named one of People Magazine’s 30 People Under 30.
Marc Maiffret and Sean McDermott asks:
Public cloud: Game changer or security gamble?
0 ResponsesJoin the Discussion