One size fits none: How to secure cloud computing in the enterprise

One size fits none: How to secure cloud computing in the enterprise

Summary: Far-sighted organizations are using cloud computing to propel innovation, get an edge over competitors and improve productivity. You can't afford to let security worries scare you away.

SHARE:

Commentary - Cloud computing is the next phase in delivery of information technology services, yet there are nagging questions about the security "in the cloud."

A recent study by IBM's Institute of Business Value found that 77 percent of the IT managers surveyed believe adopting cloud computing makes privacy protection more difficult. Half are worried about data breaches or losses, meaning only 20 percent of the usage of cloud computing is for mission-critical, enterprise applications.

But organizations can’t afford to let such concerns stand in the way of reaping the benefits of the cloud: conserving energy, consolidating resources, creating new business models and making data available when and where it’s needed. The payoff is real. Far-sighted organizations are using cloud computing to propel innovation, get an edge over competitors and improve productivity.

Take McGill University Health Centre (MUHC) in Montreal, which is expecting the amount of data it will handle to jump to 500 terabytes in five years. (One terabyte is 1, followed by 12 zeros). Therefore, McGill is implementing a private cloud to store all its medical records, X-rays, and other patient data so its doctors, nurses and clinicians will have that data at their fingertips no matter where they are during the day or night.

Or consider the large U.S. payroll services company that is rolling out an on-premise, private cloud which will let the company make its current tax service available to medium-sized businesses for the first time.

The key to profiting from the cloud is learning to manage the new security it risks creates. Here are three ways to do so:

  • Follow a "secure by design" methodology: Far too often organizations get caught up in the latest emerging technology ideas, or in the possible returns they can achieve. They move to the cloud without fully assessing their security needs and then realize that they need to bolt on security later. Sadly, when they reach this point, they might have diminished some of the promise of cloud computing.

    Organizations should focus on building security into the fabric of their cloud initiatives, beginning with simple questions such as what type of cloud would be best to deploy and how is that best delivered. Focusing on simple questions will help an organization to better understand the risks associated with cloud computing and prevent them from impeding the successful adoption of this new exciting technology.

  • Focus on a workload-driven approach: Organizations should not move their entire infrastructure to cloud computing at once, but rather deliberately focus one on application or work area and successfully migrate it first. In other words, cloud computing is like sticking your toe in the water when you approach a pool for the first time.

    Such an approach allows an organization to better understand its security needs. In addition, the breaking off part of the work from a broader data stream can provide additional clarity as to what information is really important, and what the organization’s risk appetite is to its loss.

  • Extend security with services: Organizations should look for consultants to provide their expertise in the form of services as it relates to best practices. In addition, organizations should take stock of emerging security trends such as "security as a service."

    The phenomenon of security as a service allows organizations to apply better security controls at a much more efficient cost. Organizations should take advantage of these service-based security models to not only reduce their security costs, but to also reduce the time to adapt security measures.

Every new technology comes with new risks – consider the history of the Internet and mobile computing. But over time, the benefits of new technology outweigh the risks. Since adoption of cloud computing can cut labor costs by 50 percent and improve capital utilization by 75 percent, those kinds of gains are just too hard to ignore.

biography
Steve Robinson is general manager of IBM Security Solutions

Topics: Security, Cloud, Hardware, Servers, Virtualization

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • RE: One size fits none: How to secure cloud computing in the enterprise

    Steve,<br><br>We should all stand on the shoulders of giants that come before us or at least adopt industry best practices and standards. I agree that we all need to adapt our security practices on the individual risks that we face, but we need to also use an industry framework as the basis of our security practices.<br><br>The following are some of the possible Cloud security foundations to rely on:<br><br>Several prominent Cloud providers have or are in the process of obtaining the ISO/IEC 27001 certification of their management systems.<br><br>The AICPA next generation SAS 70 auditing standard for Service Organizations is the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) SOC 1,2, and 3 and the International Standard for Assurance Engagements 3402 (ISAE 3402) Assurance Reports on Controls will take effect in June 2011.<br><br>The Cloud Security Alliance through their freely available toolkit called the GRC Stack is another Cloud security foundation that has been vetted by many security thought leaders around the world. The GRC Stack toolkit includes the Cloud Controls Matrix (CCM), Consensus Assessments Initiative Questionnaire (CAIQ), and CloudAudit, that can be used through the review and sales cycle thru continuous compliance. It is interoperable and has mappings with the Unified Compliance Framework (UCF), PCI DSS v2.0, COBIT 4.1, HIPAA, HITECH Act, ISO/IEC 27001:2005, NIST SP800-53, FedRAMP, BITS Shared Assessment AUP v5.0 / SIG v6.0, GAPP, and work within the single-company-to-multi-tenant Cloud models of SaaS, PaaS, and IaaS (S/P/I). More information can be found, here: <a href="https://cloudsecurityalliance.org/grc-stack/" target="_blank" rel="nofollow">https://cloudsecurityalliance.org/grc-stack/</a><br><br>Trust is the basis of the Cloud. Each foundation above is an example of the security industry coming together to rally around enabling this industry. There are several choices to pick from and suggest that we start there. <br><br>We should not reinvent the wheel and hope the information above helps consumers and Cloud providers alike.<br><br>Regards,<br>Phil Agcaoili
    PhilAgcaoili
    • RE: One size fits none: How to secure cloud computing in the enterprise

      In my view, we are already seeing a move away from generic, one-size-fits-all cloud solutions. Cloud vendors with <a href="http://www.realessaywriting.com/">essay writing</a> detailed sector knowledge which offer tailormade, industry-specific solutions are likely to provide more efficient and secure services.
      adamjones342
  • The Hybrid Cloud Solution

    Cloud technology has now matured to the point where highly secure solutions are available. For example, a ?hybrid? model addresses many of the security issues by ?mashing up? data so companies can keep certain information highly confidential while also exploiting the benefits of public cloud computing, of which the biggest benefit is the reduction in capital expenditure for the infrastructure and time-consuming provisioning for any new IT initiative.

    Cloud vendors also need to pull their weight by providing watertight customer service agreements, detailed specifications about data storage and portability, and compliance information. In my view, we are already seeing a move away from generic, one-size-fits-all cloud solutions. Cloud vendors with detailed sector knowledge which offer tailormade, industry-specific solutions are likely to provide more efficient and secure services.

    Ultimately, cloud should be about business change. While security concerns cannot be completely dismissed, in my view, they shouldn?t prove barriers to technology innovation that can genuinely help stimulate better business.

    Lance Sinclair, MD of Radius Technology
    http://www.radius-technology.com/
    Lance Sinclair