By Guy Currier, Director, Global Cloud Solutions Marketing, Dell
Since early on in cloud, concerns about the privacy and integrity of data have been paramount. And it remains the paramount issue for a workload or resource being migrated into a cloud environment—even into a private cloud, because by definition cloud shifts deployment power to less-governed end-users. Lowering barriers to IT resource deployment multiplies risk vectors no matter where those resources are hosted.
I was pleased to have the honor to personally chair the Security Theatre on the second day of Cloud World Forum in London last week. Dell sponsored this theatre for the entire event, and one of the industry’s leading security experts, Dell’s own Ramsés Gallego, presented his point of view on security strategies in the cloud era—or has he put it, the cloud “epoch.”
Ramsés, who is a member of the Cloud Security Alliance, started by reminding us of IT’s purpose as an enabler of business goals, in order to show the strategic power of using governance schemes to guide security decisions related to cloud. He demonstrated how this could work using the definition of governance published by the National Institute of Standards in Technology, which he summarized in four parts: defining strategy, supervising tactics, guiding risk assessment and remediation, and ensuring operational efficiency. Be sure to get in touch with him if you want to learn more.
There were numerous other presentations of note as well. Daniel Palacio of 2-factor authentication (2FA) company Twilio highlighted the biggest reason for implementing 2FA for a cloud service: that no matter how secure that cloud is, users are still human, and they frequently duplicate their credentials. So a very insecure cloud service somewhere may give up the credentials needed to access your secure cloud.
In another session, Vladimir Jirasek of the U.K. chapter of the Cloud Security Alliance hit upon the theme I discussed before going to the show —that you can design system architectures in a secure way, independently of deploying security technologies themselves. He provided two general requirements for cloud security, and called the alignment of enterprise and security architectures the harder one. Seeing as the easier one was cloud service discovery—which is really quite a challenge!—I guess it’s fair to say that there is much fruitful development to be done in this area.
In the end, what I came away from these sessions and others concluding was that, while the overall framework for security may not differ much when applied to cloud as when applied to any other realm in IT, in practice cloud sure does seem to complicate things. I think we have two strategic weapons at our disposal to address this. One, obviously enough, is simplification: security tools that are straightforward in application but connect with each other as desired, so the multiplying parts bind into fewer or singular points of control.
Ramsés pointed out the other strategic weapon: holism, which he defined as a system being greater than sum of its parts. Not all connected security systems are holistic by definition. But when they are, they multiply your power to control risk and remediate incidents. And so, by driving towards simplification and deploying holistic systems, you may have the counterweight you need to manage and secure your cloud.
For more on secure cloud management, explore our guide to cloud adoption and deployment: Cloud reverberations