Cloud computing has been a hot topic for the best part of the last five years. And security considerations have been at the heart of many cloud discussions throughout. However, the context against which many Cloud decisions are made is changing.
Evolution, not revolution
It is wrong to regard Cloud Computing as something fundamentally new or revolutionary: The IT industry has a long established tradition of re-inventing itself and Cloud Computing – on its own – is just part of another cycle, which has come with considerable marketing and hype.
The expression 'The Cloud' in itself is misleading: This is not one single concept, but a range of diverse services packaged in different ways:
- From a service perspective: SaaS, PaaS, IaaS, etc.
- From a control and governance perspective: Public, Private or Hybrid Clouds
Those products and services are not new in themselves and have in fact been evolving and consolidating for the last 10 years.
And behind the hype, there is no 'Cloud'; it’s just the same old IT !!! … i.e. Datacentres (they burn!), Networks (they break!), Hardware (it fails!), Software (it contains bugs!) and People (they make mistakes!)
But nevertheless, the decision-making landscape against which CIOs have to make Cloud decisions has changed dramatically since 2011
From Cost-Cutting Vehicle to Enabler of the Digital Transformation
Back in 2011, Cloud services were still seen as alternatives to in-house equivalents. Those alternatives were seen as cheaper while offering greater scalability and flexibility. Cloud decisions were essentially financial ones, taken against the backdrop of fairly standard IT decision-making processes. While IT commoditization was seen as bringing real advantages in terms of operational & financial efficiency, CIOs 'just' had to put all aspects into perspective and base Cloud decisions (like most others) on a balanced risk and rewards analysis. Security was just one parameter in this equation.
Over the past five years, the digital transformation has taken centre-stage in many firms, together with the convergence of a number of technology streams (Big Data, Internet of Things, Robotics, Artificial Intelligence). Cloud services have become the real engine at the heart of the digital transformation and have become the only cost-efficient way to store and process the gigantic volumes of data generated (and required) by new digital services. Today, Cloud decisions are business decisions driven by the need to select the partner that will best enable or complement digital services.
Security in the Cloud: What needs to be done?
In this new context, the risk profile of security incidents is totally different, and security measures must take center stage.
Enormous amounts of data are going into the Cloud, practically without any reasonable cost-efficient alternative:
- Data which might be considered innocuous at first, but cumulatively or over time, could acquire sensitive attributes.
- Data over which customers already have, or may one day have, a sense of privacy.
- Privacy which is being enshrined in more and more diverse, and more and more stringent legislations around the world.
At the same time, cyber attacks have become more and more common as the 'market' for stolen data expands.
As always, good practices around outsourcing and third-party risk management are key and will go a long way to protecting any organizationsin the Cloud but they have to be in place.
There can be no short-cut or magic technical or legal trick: This is not just about 'data residency' or 'right to audit' clauses in contracts. Key is to establish the basis on which informed Security decisions can be made, taking into account all relevant aspects in relation to the data going in the Cloud and its sensitivity, including the genuine chain of liabilities beyond each Cloud arrangement.
'Security in the Cloud' must be examined in a structured way with all key vendors, never taken for granted (either way), and periodically re-examined. This is now a fundamental matter of data protection for most firms.