The first rule of cloud security is, you do not talk about cloud security issues.
No, wait, that’s not right – everybody talks about cloud security risks and issues. Gartner just ran a survey on the factors preventing adoption of the cloud, and more than 50% of respondents cited security and privacy.
The problem is that much of that talk is ill-informed or simply out of date. Here, then, is an attempt to set the record straight about security and the cloud.
7 Tips for Cloud Computing Security
The cloud is way more secure than your datacenter
Your datacenter, if it’s anything like every other enterprise datacenter, is a tangled mess of different technologies, with legacy platforms sitting beside new cutting-edge frameworks, and yesterday’s seemed-like-a-good-idea-at-the-time coexisting with tomorrow’s wouldn’t-it-be-cool-if. At various time people have come in, often armed with navigable rivers, to attempt to clear out the past and usher in a new shiny future. This may even have worked… in places – until the next bright-eyed young thing came in with their own vision.
This is a nightmare for security, as the sheer number of different technologies makes it hard for people to fully understand what is going on.
The big public clouds, on the other hand, are built on extreme standardisation. The entire premise of the cloud is to have huge numbers of perfectly interchangeable parts, and swap them around at very high speed. This means that cloud security can be baked into the platform itself, and constantly verified. They also have dedicated cloud security teams, and they can leverage economies of scale and some really interesting problems to attract the very best of the best – better talent than almost any in-house IT team could attract.
The cloud is secure – but there are still risks
Here’s the catch: public clouds are secure only up to the container level. That’s what they deliver to users, and that’s what they guarantee. Users are responsible for what they put in that container. Store the keys to the kingdom in plaintext somewhere accessible, and you’re on your own. Deploy an app without considering what might be done to it, and it’s nobody’s fault but your own when your secrets get spilled.
On the other hand, the fact that the container is locked down is already a big time-saver. Also, moving into the public cloud is a great opportunity to jettison some ballast and leave some of that legacy behind. Make a clean start in the cloud! Of course you will still have a datacenter, but you can at least take advantage of the new pristine cloud environment to build new offerings.
Just make sure that you build those new applications carefully, as the very speed that magnifies the attraction of the cloud also magnifies the consequences of any mistakes.
Just because you built your cloud right – doesn’t mean it’s still right today
One of the early expectations of the cloud was that workloads deployed there would be ephemeral, so there was no real need to manage their configurations. After all, they could not drift very far from the blessed configuration before they would be decommissioned, and their replacements would be once again guaranteed to be exactly identical to the desired template.
This vision did come true in certain areas, notably in development and test, but in production environments, application predictability often trumps the grand cloud visions. If you need to provision a new node to a running cluster, you generally need the same config as the nodes that are out there already. In turn, if you need to update that running config, you need to be able to do it in place – and track what you’ve done, so that any future actions on that platform can take its current state into account.
Avoid dark cloud and shadow IT security risks
The main security problem that companies will have with public cloud is when IT refuses to engage with it “because it’s not secure” – and so people use it anyway. Sales people hear about a cool SaaS CRM tool that tracks their prospects’ interests via social media. Marketing wants to roll out new content faster. Product managers are trying to collaborate across geographies and time zones. Surprisingly, none of them want to do it via the same old systems, refugees from the 90s, that IT is pushing…
The worst thing that IT can do at this point is try to put the genie back in the bottle. All of these teams are doing the best they can for the business – so IT’s role is to guide and advise them to make sure that they are doing it in a safe manner. The way to have that conversation is to look at each “shadow IT” project as a signpost to additional value that can be unlocked, a user demand that is going unmet – not as an attack upon everything that IT holds sacred.
Users will be going to the cloud whatever IT says. IT’s only choice is whether to abandon them – and then deal with the consequences when, inevitably, somebody untrained in security matters misses something – or to support, guide and advise them, so that they can be safe in the cloud.
Not all clouds are equal when it comes to privacy
Until now, we have focused mainly on the first half of the factor slowing cloud adoption: cloud computing security. However, there was another factor there, closely related but distinct, and that is privacy.
There are all sorts of legal reasons why certain types of data – notably, Personally Identifiable Information, or PII – must be stored within national borders, or by providers operating in a certain legal jurisdiction. Unfortunately, law and geography do not map exactly to each other, so the fact that the company’s data are stored in a datacenter that is physically located in a country does not necessarily have any influence on the legal framework which applies to those data.
Of course, not all – or even most – of a company’s data are sensitive or protected in this way, so the key is knowing which is which – and crucially, being able to enforce the correct policies on the different types of data.
Humans are the weakest link in cloud computing security
People are terrible at following these types of instructions, and especially at doing so consistently over time and across different situations. Fortunately, computers are really good at slavishly following orders, freeing up the humans to do the things that humans are good at.
BMC has developed solutions to enable companies to automate the management of a variety of IT infrastructure platforms, from legacy on-premise to the newest public-cloud offerings. Importantly, BMC Cloud Lifecycle Management does not attempt to treat them all the same way, but rather to map the many different deployment options to the requirements of different use cases. Cloud Lifecycle Management also automates both day 1 tasks – provisioning something new – and day 2 and beyond – managing what is already in place.