Despite the security concerns of cloud computing, companies are proceeding full steam ahead, moving their applications, services and the information running over them into the cloud. A study by ISACA in March of this year showed that while 40% of UK organisations had already deployed some of their IT infrastructure into the cloud, a quarter of those cloud adopters were concerned about risks such as information theft and compliance issues.
If all of these fearful cloud adopters took their heads out of the cloud for a few minutes they might be able to see that the risk of data theft from the cloud is minimal when the appropriate controls are in place.
Information security and IT teams too easily adopt the path of telling users what they can’t do rather than helping them achieve what they want to securely. A poll of over 300 (ISC)² certified security professionals at the end of 2009 indicated that over 92% anticipate employees will circumvent the IT department to trial software-as-a-service (SaaS) or cloud-based solutions. This do-it-yourself accessibility of cloud computing makes it easy for people to get around the internal limitations of their IT department, which means it’s time to get real.
While the risks of putting data or applications into the cloud are different for every organisation, there is growing recognition from all business departments – not just information security – that they have an active role to play. They must now become better at not only assessing risks but also being able to innovate, procure and develop their ideas, all the while knowing that security is critical to the business case.
The chief technology architect at the Royal Mail, Stuart Curley, recently said that “most cloud computing systems are a lot more secure than internal systems.” He makes an excellent point. Although choosing the right cloud service provider can be prone to the occasional shower, providers operating their businesses on the same cloud platform they are leasing out may actually have more to lose.
A carefully controlled migration to cloud-based services could provide the impetus needed to improve security in many organisations. But unlike the early days of outsourcing, there are few opportunities for companies to negotiate terms, controls and service-level agreements – regardless of whether they move all of their applications into the cloud or adopt a partial strategy.
Indeed, industry analyst IDC’s European Cloud Provider’s Technology survey states that only 20% of cloud providers are evaluating scalable infrastructure propositions offered by systems vendors. Royal Mail’s Curley concurred when he said “it’s tough finding suppliers who are set up to work with the commercial contracts demanded by businesses”.
As the competition among providers heats up, however, we will eventually reach a stage where businesses can demand controls and cloud providers will be forced to raise their game if they want to win business. This will be good news for all companies rushing headlong into the cloud without a clear and proper review of all risks.
With a clear hand on risks and associated controls, the cloud could present an opportunity for IT and information security teams to improve upon their current approach to information security. It doesn’t need to be something that is feared.
John Colley, CISSP, is the EMEA managing director for (ISC)², a non-profit professional organization that represents 70 000 information security professionals worldwide, more than 10 000 of which reside in the EMEA region and nearly 3500 in the UK. John spent twenty years working in software and systems development before moving into information security. He has held posts as head of risk Services at Barclays, group head of information security at the Royal Bank of Scotland Group, director of information security at Atomic Tangerine, and as head of information security at ICL.