Hint: It doesn’t actually have much to do with technology or products
In case you hadn’t heard, a startup called Panda Security has introduced a cloud-based anti-virus offering. This set off a rift of articles and blogs discussing the solution itself and what it means and some who questioned whether ‘anti-virus’ even meant ‘security’ in the first place.
But I’m not interested in that discussion except to say that folks need to be more careful about distinguish “cloud security” from “cloud-based security”. The former is about securing the cloud and its infrastructure, the latter about services hosted in a cloud environment. Kthx.
What these discussions should do is bring to the fore the real question: What in the name of all that is digital does ‘cloud security’ really mean?
IT AIN’T REALLY ABOUT TECHNOLOGY
It seems that every trade publication and analyst firm seems to have done a “survey of CIOs” regarding cloud adoption. And almost every one comes back with "security” near the top of the list of reasons why CIOs are not adopting cloud right now. It’s nearly impossible to find a cloud computing oriented article that doesn’t mention security. Go ahead – look. I’ll wait.
Back so soon? See what I mean? Everybody says “security” is the reason cloud is not ready for the enterprise. But have you noticed that no one seems to define just what “security” means in the context of cloud?
Craig Balding does a good job of examining HIPAA compliance and AWS over at cloudsecurity.org but that’s only one post and one very niche concern, more related to the complex issue of compliance than general “security”. You know, like the security CIOs know exists in their own data centers.
When talking to CIOs the subject of security comes down to something a lot more ephemeral than cold, hard metal cases with blinking lights that run some security TLA functions. What they’re really concerned about – and should be concerned about – is accountability and control.
That’s right, cloud security – at least right now – is about accountability; accountability and the control required for organizations to accept that level of financial and legal responsibility.
You see, many of the regulations like SOX and HIPAA and SB1386 put very real consequences on failure to secure data and processes. C-level executives can go to jail for failure to comply, face heavy fines for failing to adhere to security regulations, and could ultimately find themselves on the street in the event of a serious enough data breach. These are very serious risks and require that the CIO accept responsibility for the overall security of applications and data.
CIOs know that they have control over their own data centers. That means they are more willing to be held accountable for the security of applications and data because they can do something to ensure that security. That may mean products, or processes, or policies. Whatever it means is really not nearly as important as the ability to implement and enforce. The important thing here is that the CIO can do something about it. He can hold his employees accountable and therefore is willing to be held accountable by stakeholders, and the law.
Given the very real potential for financial and legal ramifications in the event of a security breach, it’s no surprise that CIOs are leery of “the cloud”. It’s hard enough to get a cloud provider to agree to service level agreements; trying to convince them to accept accountability for the security of applications and data over which they have no control is an exercise in futility. Hoff said it best when he commented on IBM’s “guaranteed” cloud security: “I wonder if this guarantee is backed up with anything else short of a "sorry" if something bad happens?” So why then does anyone suspect that CIOs are willing to accept accountability for network and application network infrastructure over which they have no control.
It’s not that the cloud is absolutely more or less secure than the traditional data center, or that there isn’t a way to secure it more by adding solutions designed to address specific security concerns like data leaks or basic protocol security. It’s that if the cloud provider doesn’t offer the ability to provision and implement solutions around those concerns that the CIO can’t do anything about it. He can’t go plead his case to a steering committee, or beg the board for a budget and lay out his case. He can’t do anything about it in the cloud but ask the cloud provider if they are willing to help and understand that it’s going to cost – a lot – if they will. Though it’s more likely they won’t.
CIOs recognize that cloud security isn’t necessarily all about technology or products specifically. It’s about accountability and willingness to shoulder the responsibility for a breach – and its potential consequences. And while CIOs accept that kind of risk in their own organizations it is because they know they have enough control over their environment to implement the solutions they need when they need it. It’s about IT agility – the ability of IT to adapt to current situations whether they affect security, performance, or capacity.
The cloud, right now, does not afford that level of flexibility and adaptability. Right now the cloud is about on-demand application deployment and scalability, not an on-demand infrastructure. These are two very different things, regardless of those who might claim otherwise, and the latter does not truly exist at this point in time.
It remains to be seen if it ever will.
And until it does, don’t be surprised by CIOs citing “security” as an all-encompassing reason-to-avoid-the-cloud. Just recognize that “security” means more than technology or products; it means being able to sleep at night knowing they’ve done everything they can to ensure the security of your applications and data and not just what a cloud provider allows them to do.
CARTOON COURTESY OF toothpastefordinner.com