It’s one of the conundrums of cloud computing that makes it so irresistibly difficult; taken as a whole, cloud is so different from the way IT usually operates that it feels like there should be a whole new model or set of techniques for protecting an infrastructure. But when you start to break it down into actual achievable, meaningful steps, it’s not. It's just jumbled all around or stretched out in weird directions.
At the end of the day, we still have all the security problems we had before.
For instance, use public cloud and you're doing website security. You're just not used to doing that for your front end, back end and data layer all at the same time. Use a private cloud in-house for your dev team and you're doing a witch's brew of IP management, operational management and project management. Day-to-day governance and risk management is not traditional fare in the weekly project team meeting.
Everyone's gotten used to living in a bubble.
The red-tape brigade responsible for compliance and setting policies wants cloud to magically fit into the slots they've already got in their precious paperwork, even though it’s a new kind of animal. If you need to hit an audit twice a year, how do you sleep at night knowing Bob and Ted and Alice might be commissioning and decommissioning hundreds of servers with company IP on them in between?
The operations guys are perturbed, roused from their hypnotic, CYA-based routine of fighting off clueless users and management buffoons to keep the lights on and data safe (despite the CIO's best efforts to irrevocably screw it up). How do you convince the IT basement trolls that cloud storage is safe when they can't even sniff the hard drives to see if they're ripe? It's like poking bears.
And the security chiefs are either freaking out about cyber super criminals stealing their brainwaves or cat burgling the company safe through a ventilation shaft to worry about sending data to some "bucket" somewhere. They're more focused on the security team knowing kung fu than something as insane as cloud computing.
Operations trolls in their beer-soaked caverns, bloodless GRC bureaucrats in their ivory tower and security ninjas slinking around installing 'pick-proof' locks on the executive johns. None of them are prepared to just pick up and run with the cloud.
When will cloud security issues be resolved?
Cloud computing, especially private cloud (because let's face it, you're either all the way in the public cloud running an e-business or you're sticking in stuff that doesn't matter), makes everybody rub together uncomfortably. No one's sure where it's all going to shake out and nobody is getting answers they like. The only people successfully overhauling their IT infrastructure into cloud-like operations are doing it whole hog and reinventing security along the way.
Speaking of uncomfortable rubbing together, the grandmother of security dog and pony shows finishes this week. At RSA Conference 2011, we interviewed an enterprise with a good handle on how to approach cloud security that really illustrates this conundrum. If you can get through his diagram without a searing headache, congratulations; you're IBM's Watson in disguise.
US Federal CIO Vivek Kundra declared 20% of the Fed's IT infrastructure is going to be on clouds. Security pundit Chris Hoff came on stage directly afterward to basically mock everything going on in cloud and security. One analyst gave a talk and did a variation on a Seinfeld gag. "What's the deal with antivirus software?" So many announcements went out, you'd think the problem was licked.
But at the end of the day, we still have all the security problems we had before. Cloud really hasn't made that much of a dent; it's just put us in a fun house mirror. What it should really be doing is making us question why we're still doing the same old stuff (why do we need so much useless AV software?) The potential for change is there; the reality is it’s a long way off.
Carl Brooks is the Senior Technology Writer for SearchCloudComputing.com. Contact him at firstname.lastname@example.org.