Stormy Clouds are Rolling In: A Look at Cloud Technology
Executive Summary Without a doubt, Cloud technology is here to stay. The Cloud as a concept is the idea of separating specific services and utilizing a third party that specializes in that are to host an organization’s needs. One of the major issues with the Cloud is the lack of commonality among all various service providers. It is acceptable to have differences between Cloud Storage and Cloud web-servers; however, the differences have been proven to exist between Cloud Storage providers. This poses a major security concern because security engineers and analysts are not able to identify and mitigate attack vectors. There is a real need to bring discipline to the people and processes around Cloud usage in each individual organization as well.
Introduction At technology conferences every year, thousands file into a venue to learn about the newest gadgets and “killer apps” that are being displayed and presented. Among them in the last 3 years has been a concept, rather than a specific software or technology. Dubbed “The Cloud,” it I specifically the idea of taking a system that is directly integrated and exporting it a company that can provide a stronger support and maintenance plan for it. The classic example: removing server tier and having it hosted at a server provider, such as Rackspace, who can create, monitor, and maintain the server. There are a couple huge advantages to this idea. The main being that the customer of services such as Rackspace does not have to find, hire, and train a server administrator. The benefits of hosting some of IT services in the Cloud are clear. However, there are security risks as well.
Issue & Challenges The biggest security issue with the Cloud is that there is not enough of a standardized approach across all Cloud providers. Because of that, security experts are not able to fully understand how to protect data that goes into the Cloud. With a fluid concept such as cloud computing, that simply does not work. There is not one single model, nor is there one single architecture that you can point to and say definitively, "We are doing that, ergo we are doing cloud computing." (MacVittie, 2008) One of the major goals of Information Security is to locate and mitigate vectors of attack. However, attempting to do so in the Cloud could be equated to trying to pin Jello to the wall. While it is physically possible, the effectiveness of it is so miniscule that there is not really a point to attempting change. The biggest challenge around this is the lack of ability to clearly define attack vectors because of ambiguity relating to how the service works. That ambiguity serves to further reinforce the notion that the Cloud should not be used because it is not well known. However, fear of this type can easily be dissuaded with knowledge and internal changes to bring more discipline. What MacVittie highlights is a fundamental problem that is solvable, but requires discipline in the technology, the people implementing and using the technology, and the policies related to the Cloud.
Three-Fold change When discussing how to bring change, discipline, and structure to an unstructured landscape, there are many things to consider. With that in mind, the best possible way to bring adoption and long term change is to not simply inject change into one area, like technology; but to bring change to the people and the policies relating to that technology. With the Cloud’s lack of standardization (MacVittie, 2008), there is a real need to be structured and disciplined about how the enterprise deals with Cloud solutions. For example, if the Cloud application is storage, the business should be asking questions of the provider around what their specific security policy is, how often the information is available, and when do the storage devices come down for maintenance? Then the business’ IT group needs to spend time doing a gap analysis to determine how they can structure the data they are passing to the Cloud. Think of it like training in the military. During boot camp, a person is stripped down to their basic functions and taught from the ground up how to survive, fight, and how he/she works together as a unit with others. That way, when the soldiers go to a theater of war and the chaos starts, they are able to survive and function effectively as a unit. It is very easy to simply inject a tool into a group. In fact, there are organizations around the world that do so regularly. The problem becomes apparent when the tool is not utilized and the people who asked for it are the only people using it. Instead, if a group who owns, say web publishing, brings a new tool, said group should not just add the new tool and turn off old tools. They should look for ways to make the tool the most effective tool for web publishing across the organization. They should bring governance and process change to groups that have outdated processes. They should, within their scope of bi-lateral power, move to have the organization adopt this as the only tool for web publishing at the enterprise level, then constantly find ways to support the teams using the tool. When a tool, or a process, or a person is the only thing changing, not all three, there is a real potential for failure. But if there is a three-fold change there are more benefits. A 2009 article discusses the benefits: Customers benefit from advanced encryption that only they are able to decode, ensuring that Mimecast acts only as the custodian, rather than the controller of the data, offering companies concerned about privacy another layer of protection. (Binning) While Binning is specifically relating the relationship between Mimecast and its constituents relating to email management services in the Cloud, it is a pertinent example of the duality of benefits accomplished when a Cloud company provides a strong service and the people utilizing the service are able to change their policies and personal biases. There is a real bias for IT management to keep all information “in-house” because they can physically see and “touch” the data, but if they are disciplined about how they approach Cloud services and do not give un-due credence or cynicism they will not defeat the benefits gained. References: Binning, D. (2009, April 24). News. In Top Five Cloud Computing Security Issues. Retrieved May 3, 2012, from ComputerWeekly.com website: http://www.computerweekly.com/news/2240089111/Top-five-cloud-computing-security-issues MacVittie, L. (2008, December). Web Software. In Defining Cloud Computing. Retrieved May 3, 2012, from Computerweekly.com website: http://www.computerweekly.com/opinion/Defining-cloud-computing
No comments:
Post a Comment