Cloud, here we come! Or is it rather more a case of "We're already here, so make the best of it..."?
I spent some time today talking to a good friend of mine who also happens to be the head of security for a large European financial services business. Unsurprisingly we got on to the subject of cloud, cloud usage, and his concerns (if any).
Like a lot of companies, his alternates between tentatively stepping into the uncertain waters of the cloud one toe at a time, and leaping in like a cliff-diver/lemming cross-breed. I asked him about private cloud initiatives:
"Yes, we have one of those. Well, more than one, actually. We're leveraging one of our current providers (in the networking space) to host some private IaaS (Infrastructure as a Service) compute resources for us. It seems to be going ok."
However, that's not the end of the story. "We've also got a big SaaS (software as a service) commitment too."
And here's where things go off the rails, as I suspect they do for a lot of security managers. In this case, as head of security, he was presented with the information about the offering and asked to provide any concerns regarding security and compliance, which he did. (There were several, especially around meeting EU privacy directives.) Unfortunately, by the time he'd been brought into the picture the contract had already been signed. For three years.
My friends comment on the situation involved a number of very colorful Anglo-Saxon expressions which, for the sake of politeness, I'll summarize as "Oh dear."
A lot gets written on the subject of cloud security. It's hardly surprising after all, since "To Cloud, or Not To Cloud" has become one of the defining existential questions of this decade – at least for IT and businesses. I suppose it's possible there exists a remote tribe somewhere deep in the lush and ever-verdant Amazonian rainforest for whom Cloud computing isn't really much of a concern, although by 2012 even they'll probably be wondering whether to outsource their email storage or not.
Here's the rub (to steal another Shakespearian quote.) While the security industry frets about securing the cloud, many businesses are simply moving ahead anyway. My friend's lamentable story is hardly unique (I've heard similar before from other CISO-level friends.) A lot of senior IT execs are making noises about moving cautiously into the cloud, and keeping sensitive data within their own perimeters – but I wonder if, like the witches in Macbeth, they have that same sense of inevitable foreboding – "By the pricking of my thumbs, something wicked this way comes." I also can't help but wonder if, on closer examination, they might find a lot more cloud usage than they had first suspected, or hoped.
It's RSA time. Perhaps as I wonder the aisles of vendor booths (or would it be better to describe them as clouds of vendor booths?) I'll see some progress. For what it's worth, and in the spirit of full disclosure, my own company will be making announcements in this area too.
As of now there are lot of pieces are in motion: vendor, regulatory, , best practice, business process – but I guess the important questions who gets there first, and where exactly "there" is, remain distinctly unanswered.