In a previous blog, I posted the first of three pitfalls of hitching your wagon to the cloud . Today, let’s cover the second pitfall of force fitting cloud into your current security model.
Recently, I had an opportunity to listen to the CIO of a Fortune 100 company talk about top business care-abouts for IT. We have all heard about cloud and virtualization as technology care-abouts, but this CIO boiled it all down to two things that matter for IT: Productivity and Risk.
Firstly, IT exists to enhance productivity for delivering business growth. Secondly, IT is on the hook to keep things running smoothly and to protect any exposure to the business. If you are in IT, you are not likely to lose your job over productivity, but being naïve about risk is a sure shot way to get fired. Imagine a retail chain not being able to check out people during the holiday shopping season or an insurance company losing its customer data to a hacker while sharing information with its business partners.
What does this have to do with cloud? Well, cloud is one of the biggest IT transformations of recent times delivering dramatic business productivity gains. Latest numbers suggest that over 60% of enterprises are adopting cloud to reap the benefits. However, it is equally critical to deal with the risk side of the equation to make sure that risks are mitigated proactively.
A key risk area is security for the cloud. We could bury our heads in the sand and force-fit all the existing IT security mechanisms such as centralized security enforcement to the cloud, but this defeats productivity gains and makes it a zero-sum game. Also, I believe IT will find it increasingly hard to “tether” the cloud to its security mechanisms and users will use the cloud whether IT can secure it or not. We are already seeing this user behavior with the bring your own device (BYOD) phenomenon and the use of consumer applications like Facebook or YouTube for business purposes. Interestingly, you get dramatically different answers when you ask various stakeholders about use of public clouds in the enterprise. In my experience, IT consistently underestimates the use of public cloud by 100% to 1000%. Application developers are bypassing IT while using public cloud infrastructure on their corporate expense accounts.
So what do we do? First, understand that security for cloud needs to be applied for two different areas and use appropriate security mechanisms for both:
- Cloud-based enterprise applications such as Salesforce.com, Success Factors, etc.
- Cloud-based infrastructure such as enterprise Virtual Private Clouds (VPCs) in Amazon EC2, Terremark, etc.
To secure cloud-based applications, enterprises need to get over the concept of hair pinning all Internet traffic to central sites (see Pitfall 1: WAN Does Not Matter) and deploy a mechanism to secure all web traffic right from where users are. Cloud-based web security such as Cisco ScanSafe allows us to enforce security policies centrally and protect against malware while allowing distributed Internet access.
To secure cloud infrastructure, enterprises need to extend their networking and security capabilities to the cloud. This involves securing the connection from any site to the cloud via any-to-any VPN and routing technologies deployed within enterprise networks today. This needs more maturity on the cloud provider’s side to provide enterprise class networking capabilities within their infrastructure. These capabilities are offered at rudimentary level in today’s cloud environments (see previous blog: Why Hybrid Clouds Look Like My Grandma’s Network). Networking offerings in the cloud will need to evolve to same level as enterprises deploy today to realize the vision of cloud being an extension of the enterprise IT.