Judging by the results of most surveys over the years, security has long been the Achilles heel of cloud computing. Yet there's an argument for suggesting that this will not always be the case, and that we may be close to the tipping point where it starts to change.
Marshmallows no more
Clearly, the old marshmallow security model - crunchy on the outside, soft in the middle - no longer works, as the numbers of entry points inside the network have exploded and is set to rise again hugely once the IoT arrives in force.
In addition, the deployment of cloud services is now a standard method of delivering increasing numbers of applications, leaving the enterprise with at least two sets of attack surfaces: on-premises, and one for each cloud service provider. This situation will intensify as the number of cloud service providers grows, and it will grow as enterprises shift application delivery to the cloud.
What's more, the growing numbers of IoT devices create additional security pressures. Such devices are likely to have little or no processing power available to run security software, so they will need to be protected by the network - or the cloud security system.
Cloud to add security?
So is the answer to move the security layer into the cloud, converting the cloud into a source of security rather than vulnerability? At the very least, this could enhance the user experience, as it could reduce the network traffic generated by security systems, and so save on bandwidth costs. It could also reduce the reliance on security point products, each with its own UI and management system, and each requiring updating; even when updates are automated, the status of security systems must be checked in the event of an anomaly.
Cloud security offers other advantages. When corporate Internet access is routed via a cloud security layer, traffic to low-reputation websites can be inspected and quickly blocked if necessary before that traffic traverses the corporate network. We've also seen the emergence of innovative cloud-hosted security services that, for example, make use of big data and AI, or sandboxing, heuristics and anomaly detection. This centralisation will enable more correlation of events, improved traffic analysis, and encourage a more data-centric rather than a device-centric approach.
Once a cloud security service is up and running, all data access can be centrally secured - and the IoT and access from mobile devices, which are currently among the top security concerns, can be allowed into the corporate network. What will then have happened is that the previously separate concepts of endpoint and network security will have been combined, with the network layer providing security at all levels.
Core focus regained
This is not to imply of course that organisations can forget about core security issues, including compliance and key management, nor that concentration on security while retaining the cloud's advantages of flexibility and elasticity can be abandoned. It will remain the responsibility of cloud service provider customers to implement security best practices and educate end-users in doing so.
It does however have the advantages that the business can focus on its core competencies: security is complex and non-obvious so it makes sense for most organisations to cloud-turbo their security. Is it time yet to abandon the idea of security as the cloud's biggest weakness?