By Craig Nelson â€“ special guest to The Security Catalyst
Is it right for you? Sure.
Is it right for your business? <crickets>
By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (â€œthe big cloudâ€). This cloud includes services (from â€œsmaller cloudsâ€) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.
By linking all of the â€œcloudsâ€ together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).
Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using â€œcloudsâ€ for our personal productivity.
But, when will â€œthe cloudâ€ be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?
Three reasons businesses choose the cloud
The business reasons cited for using “the cloud” are likely one or more of the following:
1. Lack of time or expertise (including security) to build and maintain an in-house solution.
2. Seeking the advantage/speed of new features that are released quickly.
3. It’s cheap (either free, or subscription fees).
Beyond simple points, consider the depth and complexity of each.
Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.
With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).
At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.
Can the cloud be more secure?
Many security breaches are due to improper configuration and lax administration and maintenance.
These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).
If additional security is desired, additional security controls can be applied â€“ matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution.Â The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process.Â However, itâ€™s a cost that that can be readily accepted.
The Cloud – Personal
At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.
Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).
New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords).Â A few years ago, I couldnâ€™t imagine that such a service would be widely adopted.Â However, now, it seems to be trickling into the â€œessential softwareâ€ list of well-respected technologists.
The Cloud â€“ Business
It’s a bit different at the business level.
Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”
IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”
Is the cloud right for business?
So, is â€œthe cloudâ€ right for your business? This is a serious decision â€“ one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.
Hereâ€™s a start: ask these three questions and discuss the answers with your team â€“ including your security pros â€“ to start to find out:
1 â€“ What regulations is the business subject to? What operational principles and policies does the business have?Â Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?
2 – Does the cloud provider offer security controls that allow an adequate level of protection?Â If not, can deficiencies be mitigated?
3 â€“ Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?
About Craig Nelson
Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com).Â His expertise and education is in incident response, computer forensics, and security architecture.