Security mindset must change with cloud

Security mindset must change with cloud

Summary: Companies need to grasp implications of moving to cloud and develop roadmap to holistically secure IT systems instead of deploying security products for individual stacks.

SHARE:

SINGAPORE--Companies need to move away from the mentality of having complete control over their IT infrastructure and securing different IT stacks in a piecemeal manner when they make the move toward cloud computing, industry executives urge.

Jim Reavis, co-founder and executive director of Cloud Security Alliance (CSA), said traditional IT security practices have always been black and white in that tech departments know they have complete control over the company's hardware and infrastructure.

In knowing this, they can develop their own security regime or outsource it to a third-party provider completely, Reavis added during the CloudSec 2012 conference held here on Wednesday.

With cloud computing though, IT security has become more "grey" as traditional practices no longer apply. Companies and their IT teams will not know which part of the infrastructure they have control over and will have to work with service providers to ensure their systems are safe, he noted.

For companies that persists in the old mode of provisioning security for cloud-based IT systems, they will discover that such practices would hinder the scalability, agility, and lowered costs that cloud computing promises to deliver, noted Dave Asprey, global vice president of cloud security at Trend Micro.

The executive, who was also present at the CloudSec conference Wednesday, added IT departments are not being aggressive enough in adopting new technologies, particularly during the migration to cloud. For instance, when moving from physical to virtualized servers, companies will have to navigate through different components of an integrated IT environment such as public cloud services and desktop virtualization. In doing so, they end up deploying a glut of security products to protect the individual deployments.

Such actions, Asprey noted, negate the benefits of moving to cloud as they lower security, increase total cost of ownership, and make their IT systems more complex to manage.

Organizations should opt for a single management console or craft an integrated security model instead, he suggested. This model must enhance security across all systems at the same time, provide visibility to each component of the infrastructure, and have automated patching for the virtualized servers, he said.

Timothy Grance, senior computer scientist at National Institute of Standards and Technology (NIST), added during the conference that, above all, business factors must be considered alongside security. These include evaluating and understanding service level agreements (SLAs), he said.

Companies should also not be paralyzed by potential legal, security, and technical issues during the migration process in order to fully realize the potential of cloud computing, Grance urged.

Topics: Cloud, Security, Virtualization

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Complete control?

    “Companies need to move away from the mentality of having complete control over their IT infrastructure…”

    I almost stopped reading right there. We should give up the idea that we have control over our data processing? This certainly implies that we won’t.

    “With cloud computing though, IT security has become more "grey" as traditional practices no longer apply. Companies and their IT teams will not know which part of the infrastructure they have control over and will have to work with service providers to ensure their systems are safe…”

    And we thought security was a problem now…

    “…when moving from physical to virtualized servers, companies will have to navigate through different components of an integrated IT environment such as public cloud services and desktop virtualization. “

    More complexity to put up with.

    “Companies should also not be paralyzed by potential legal, security, and technical issues during the migration process in order to fully realize the potential of cloud computing…”

    In other words, no matter how rough the ride, stick it out. That’s what the servers of the cloud want.

    To sum up this blog, security will become more of a concern when you add a third party as an additional layer to your system. It cannot be otherwise. But stick with it, no matter the size of the problems, you will be safe in the arms of the cloud.

    Taking into consideration the other negative factors of the cloud, such as reliability, is putting all your eggs in the cloud basket a good idea?
    Doc.Savage
  • Moving to the Cloud...

    Interesting article. As an IT company who offers cloud solutions to companies, it’s interesting to hear what a lot of organizations are doing wrong when switching to the cloud. This article offered some great insights.
    Meaghen
    Mosaic Technology
    http://www.mosaictec.com/
    meaghenice
  • No change in mindset needed

    There is no change in mindset needed when moving to the "cloud." Since there is, for all practical purposes, no security whatsoever with local data (except manbe if your keep your vital data on a Flash drive strung on a string down your pants), and there will be even less on the "cloud," there is no change in mindset needed...that same-old, same-old mindset being, "There is no Santa Claus, there is no Easter Bunny, there isno Tooth Fairy, there ain't no such thing as a free lunch [TANSTAFFL], and there is no Security."
    charlessmall18
  • When...

    we see Cloud as an whole (Distributed network, multiple datacenters etc etc) security is indeed a major concerns however it can be easily addressed with proper SLA. In fact, the giants or large enterprise who understand technology will never use the excuse of "Security" when it comes to moving to Cloud. The challenges they face are more often related to the compatibility of their legacy software with cloud. Only those SMEs, where technology is not on every desk of their organization, questions about the security. These organization are those who would raise concerns in every new technology.

    If we just remove distribution from Cloud and leverage on its visualization benefits, it would still pay in large.
    moosaz19
  • I wonder who pays more? NIST or private sector?

    >>
    Companies should also not be paralyzed by potential legal, security, and technical issues during the migration process in order to fully realize the potential of cloud computing, Grance urged.
    Marc Jellinek
  • Comment got cut off

    Don't pay any attention to regulatory compliance requirements, your responsibility to your customers/clients/stakeholders/shareholders.. this is the cloud, it's cool and if you can't see it, you must be stupid.

    I wonder if Grance is looking to make a move away from NIST and towards a highly compensated position within a cloud computing company?
    Marc Jellinek
  • cloudy questions

    Will we learn from Java's failures that too much trust is as bad as too little defense? But hasn't .NET done it better?

    Maybe our lesson will be like the one that came with wifi networks- that it is better to partially secure the convenient yet insecure rather than try to ignore it.
    Dave Keays
  • Cloud Computing Realities

    This article appears to be the "all or nothing" approach to the cloud. Hybrid and personal clouds are more likely to be the approach. From what I have seen thus far, companies are very hesitant to put "all" data in the cloud. The loss of data controls setups the perfect targets for corporate or state sponsored espionage.
    david.gagne@...