You can't go more than a few weeks without reading about security breaches where sensitive data was extracted from...
large, well-known companies. Sony was the latest victim, with email and other data stolen from internal servers. Before Sony, it was a who's who in the retail market, with hacker attacks against Target and Home Depot.
Why is this happening now? For the most part, these companies have traditional security on traditional systems. But what worked in 2005 doesn't work in 2015, as hackers are learning how to exploit existing system's vulnerabilities. Until these companies have better security planning and technology, more breaches will occur. Count on it.
It's chilling to consider these events as we move into public cloud. In public clouds, companies place data outside of their control, which makes it feel more exposed than data stored on servers down the hall. But the fact is, cloud computing wasn't to blame for these high-profile breaches; they happened on traditional internal systems.
There are two reasons why cloud breaches aren't as widespread as some think. First, when enterprises adopt cloud-based systems -- especially public clouds -- IT works overtime on security planning. Second, IT only uses state-of-the-art cloud security technology, such as federated identity management-based systems that are better equipped to track the environment and human players.
Today, it's getting to a point where public cloud is actually more secure than traditional systems -- that is, as long as cloud users have done the proper planning for security and governance, as well as splurged on the right technology.
Cloud governance, security go hand-in-hand
Governance is new to most enterprises, but it's a requirement for a move to cloud. The idea is to monitor cloud resource usage, such as servers and services, and to limit what systems and users can do with those resources. Linking governance to a solid security strategy and technology reduces the likelihood of a breach.
To create a sound cloud security strategy, remember governance and security are systemic. You can't just bolt them on after deployment and hope for the best. Additionally, don't employ separate security strategies and technology for cloud and non-cloud systems. If hackers break into one, they typically gain access to the other. It's crucial to provide a consistent set of processes based on the proper technology.
Victims of a breach are all guilty of not treating security as an ongoing effort. Processes, training and technology must be addressed on a consistent basis. It's like a game of whack-a-mole.
Other than the enabling technology, cloud security planning is the same as it is for on-premises systems. Extend your enterprise security plan to include cloud, instead of using new approaches for cloud-based systems. However, cloud gives many IT departments the necessary license to finally overhaul outdated security systems.
About the author:
David "Dave" S. Linthicum is senior vice president of Cloud Technology Partners and an internationally recognized cloud industry expert and thought leader. He is the author or co-author of 13 books on computing, including the best-selling Enterprise Application Integration. Linthicum keynotes at many leading technology conferences on cloud computing, SOA, enterprise application integration and enterprise architecture.
His latest book is Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide. His industry experience includes tenures as chief technology officer and CEO of several successful software companies and upper-level management positions in Fortune 100 companies. In addition, he was an associate professor of computer science for eight years and continues to lecture at major technical colleges and universities, including the University of Virginia, Arizona State University and the University of Wisconsin.
Greatest cloud security fears to overcome this year
Private cloud planning essential for project success
Steps to ensure cloud storage security