The IT industry successfully generates billions of dollars each year by selling us security products and services. Security always plays a major role in any corporate IT purchasing decision. But we are still a very long way from securing our IT environments.
Most security breaches are caused internally by employees or other authorized users of corporate systems, such as contractors. It is these groups that are most likely to compromise the integrity of our systems, not external hackers. In spite of this, much more focus tends to be placed on external threats.
Each time I work on a client’s site, I am struck by how easy it would be for me to compromise their systems. All I would need to do is insert a thumb drive with malicious code into a USB port and, hey presto, I’ve undermined hugely expensive security investments.
It is reckless to allow employees and contractors to carry highly sensitive data around with little consideration of the consequences of losing the laptops and smart phones that house the data. Amazingly, little focus is placed on addressing this particular security threat as well.
Enterprises do not sufficiently focus on changing the behaviour of their users by making them aware of security policies and the reasons for those policies. Few ensure adequate control of basic access to their physical premises and to end-points that form part of their network. It also seems as though few enterprises track the location of sensitive data that physically moves around with employees and contractors.
Ensuring that everybody who accesses enterprise networks is trained to follow appropriate security policies is an extremely challenging task. For this reason, it is necessary to consider other ways of mitigating the risk of an employee or contractor from compromising security.
One way of doing this is to source as much of the enterprise’s computing resources from the cloud as possible. Managing the security of heterogeneous on-premise IT environments is a highly complex and almost impossible task. Minimising the amount of on-premise resources that a corporation manages mitigates risks associated with security breaches enormously. Ensuring that data is stored in a secure environment (in the cloud), rather than on portable devices such as laptops and smart phones also enables corporations to reduce risk.
Cloud computing, and I mean public cloud computing, allows us to mitigate risks and, in many cases, offer greater security than can be provided by spending millions of dollars in an attempt to secure on-premise resources.
It is true that multi-tenancy and virtualization add a lot of complexity to providing levels of security that many enterprises require. However, public cloud services providers such as Google, Amazon, Microsoft and Salesforce.com focus heavily on ensuring that their data centers follow best practice security policies and are using the most up-to-date security tools. Security can also be tied into service levels.
So, using public cloud services can offer more security than keeping data and other computing resources on-premise. These services can also reduce the amount spent on security massively. Perhaps this is the reason why many in the IT industry are keen to dissuade us from using cloud computing.
Security is always a challenge. But, there is little evidence to suggest that using the public cloud is less secure than the traditional on-premise form of computing. In fact, there is more evidence to suggest that using public cloud services can, in many cases, eliminate security risks that exist with on-premise computing alternatives.
The cloud model of computing is much better positioned to address today’s security challenges and concerns than alternative models. So, will the term cloud security soon be considered a pleonasm? In other words, will the cloud soon become synonymous with security?
About the Author
Andrew Milroy is ICT director, Australia and New Zealand, at Frost & Sullivan. The views and opinions expressed in this article are his own, and do not necessarily reflect those of his company.