Commentary - Cloud computing is the next phase in delivery of information technology services, yet there are nagging questions about the security "in the cloud."
A recent study by IBM's Institute of Business Value found that 77 percent of the IT managers surveyed believe adopting cloud computing makes privacy protection more difficult. Half are worried about data breaches or losses, meaning only 20 percent of the usage of cloud computing is for mission-critical, enterprise applications.
But organizations can’t afford to let such concerns stand in the way of reaping the benefits of the cloud: conserving energy, consolidating resources, creating new business models and making data available when and where it’s needed. The payoff is real. Far-sighted organizations are using cloud computing to propel innovation, get an edge over competitors and improve productivity.
Take McGill University Health Centre (MUHC) in Montreal, which is expecting the amount of data it will handle to jump to 500 terabytes in five years. (One terabyte is 1, followed by 12 zeros). Therefore, McGill is implementing a private cloud to store all its medical records, X-rays, and other patient data so its doctors, nurses and clinicians will have that data at their fingertips no matter where they are during the day or night.
Or consider the large U.S. payroll services company that is rolling out an on-premise, private cloud which will let the company make its current tax service available to medium-sized businesses for the first time.
The key to profiting from the cloud is learning to manage the new security it risks creates. Here are three ways to do so:
- Follow a "secure by design" methodology: Far too often organizations get caught up in the latest emerging technology ideas, or in the possible returns they can achieve. They move to the cloud without fully assessing their security needs and then realize that they need to bolt on security later. Sadly, when they reach this point, they might have diminished some of the promise of cloud computing.
Organizations should focus on building security into the fabric of their cloud initiatives, beginning with simple questions such as what type of cloud would be best to deploy and how is that best delivered. Focusing on simple questions will help an organization to better understand the risks associated with cloud computing and prevent them from impeding the successful adoption of this new exciting technology.
- Focus on a workload-driven approach: Organizations should not move their entire infrastructure to cloud computing at once, but rather deliberately focus one on application or work area and successfully migrate it first. In other words, cloud computing is like sticking your toe in the water when you approach a pool for the first time.
Such an approach allows an organization to better understand its security needs. In addition, the breaking off part of the work from a broader data stream can provide additional clarity as to what information is really important, and what the organization’s risk appetite is to its loss.
- Extend security with services: Organizations should look for consultants to provide their expertise in the form of services as it relates to best practices. In addition, organizations should take stock of emerging security trends such as "security as a service."
The phenomenon of security as a service allows organizations to apply better security controls at a much more efficient cost. Organizations should take advantage of these service-based security models to not only reduce their security costs, but to also reduce the time to adapt security measures.
Every new technology comes with new risks – consider the history of the Internet and mobile computing. But over time, the benefits of new technology outweigh the risks. Since adoption of cloud computing can cut labor costs by 50 percent and improve capital utilization by 75 percent, those kinds of gains are just too hard to ignore.
Steve Robinson is general manager of IBM Security Solutions