Clouds ARE secure enough for portions of most enterprises today. Everyone at the Cloud Computing event seemed to agree that Cloud 1.0 is done –and it is time to move to Cloud 2.0. Since I believe clouds are inevitable (See my recent blog) I was looking forward to the “Securing the cloud ecosystem” panel. The session did not disappoint. The panel had representation from a security vendor, (Scott Chasin from McAfee), two large professional consulting organizations, (Ronald Knode from CSC, and Shahed Latif from KPMG) and a services company (Niall Browne from LiveOps). Although a diverse set of topics were covered, three were of most interest to me: Who should own the security for the clouds and what should ‘cloud consumers’ do today?
You can legislate liability for cloud security, but you better not forget about accountability: this sums up the discussions about who should own security in the clouds. Clearly it is critical for the cloud provider to be responsible for the implementation of security. But if something goes wrong, the cloud consumer takes the hit, it’s because they selected the cloud provider. What happens if your Software as a Service (SaaS) cloud provider uses an Infrastructure as a Service (IaaS) cloud provider? Whose owns the security? It doesn’t take long to see how complicated the picture becomes. In order to be accountable for the security of the cloud, the ultimate consumer, the enterprise, must have transparency into the day-to-day security practices of the entire cloud stack.
IT departments should take a do unto others before they do unto you approach. Clouds are in the enterprise. Some cloud applications snuck in through line of business users who charged the cost to their Corporate AmEx cards. In examples like this, no one asked the security questions. Others came in through the IT department. Here, some questions were asked, but they were usually created for each instance. No matter which path was taken for the existing cloud applications (or Infrastructure or platforms), more are coming. So, put your architecture together your. Know what questions you want to ask. Know where you will compromise and where you won’t.
No matter what – the enterprise is partly cloudy; embrace it.