I recently reviewed a slide deck IBM shared concerning cloud security and the mid-market. The deck offered a number of recommendations that were designed to help mid-market decision makers think about and implement processes that would help make their uses of cloud computing services safer. All-in-all I thought the suggestions were useful.
IBM's four recommendations
What was most interesting to me was that IBM was able to boil down the complex industry discussion about cloud security into four simple recommendations. Here they are:
- Determine what you want to put in the cloud
- Spend wisely
- Accept that security is about risk management
- Make the concept of security understandable
Let's examine these recommendations one at a time.
Determine what you want to put in the cloud
Cloud computing is really a form of outsourcing. Applications and data are placed in the data center of a cloud services provider rather than in a company's own data center.
Since companies only pay for what they use rather than the entire cost of the real estate, power, communications, systems, software, facilities management and security, this approach appears very attractive in these cost-conscious times. It is wise for mid-market decision makers, however, to think carefully about what data is being placed in the hands of another company and what that company is going to do with that data.
Since cloud computing is based upon today's complex IT infrastructure it would be very wise to make sure company business and IT decision makers are speaking with one voice and thinking with one mind before contracts are signed and the company begins using a cloud computing solution. Decision makers who don't understand this technology should not be making purchasing and implementation decisions without the help of those who do.
This means thinking about all of the ways things could go wrong and having plans in place to address these problems. I'm reminded of a couple of old industry saws at this point. One says "It pays to plan ahead. It wasn't raining when Noah built the ark" and the other is "Hope for the best, but plan for the worst."
Those without well tested and designed contingency plans are likely to run into trouble at some point. Although some would like to attribute these problems to cloud computing in general, more often, the problems are better attributed to a lack of company planning.
It isn't at all uncommon for a mid-market company to discover that no one on staff has the necessary experience and expertise to make good decisions about the use of technology. Security risks and how to address them often fall into this category.
It would be wise to ask the experts at the cloud services provider or at the company's traditional IT suppliers, such as IBM, Dell or HP, help the company make reasonable plans.
These plans, by the way, should be carefully examined and tested before a company should jump into cloud computing with "both feet."
Accept that security is about risk management
The only perfectly secure system is one that is housed in a secure environment, not connected to the Internet and is not being used! Since mid-market companies expect to use the systems and are going to be connected to the network, it is important for companies to understand that total and complete security isn't really possible. What is possible is to take all reasonable steps to create a safe computing environment.
Furthermore, security in a cloud computing environment is not like third grade math. You know, once a person has successfully passed this course, it isn't necessary to take it again. Security plans and procedures need to be routinely re-examined as the environment changes.
Once again, it would be wise to ask the experts at the cloud services provider or at the company's traditional IT suppliers to help the company make reasonable plans to create a safe and secure computing environment.
Make the concept of security understandable
One of the biggest challenges facing mid-market decision makers is one of finding a common language. Business people think and talk about company operations one way and IT specialists think and talk in another way. It is wise make sure everyone is on the same page. It isn't at all uncommon for the same phrases to have different meanings to those two groups. Having an interpreter on the team, a person who understands both languages, can make all the difference.
All in all, IBM's slide deck offered some concise, understandable and actionable advice mid-market companies would be wise to consider.