A recent GigaOM study predicts the total worldwide addressable market for cloud computing to reach $158.8B by 2014, an increase of 126.5% from 2011. The cloud is so pervasive, it’s even made it way to my Sunday afternoon football viewing in the form of good (and bad) commercials. Here’s a classic… let me know if you think it fits the former or latter category. I find it interesting that “the cloud” has transitioned from something that can help IT contain costs to an effective tool for enabling business agility and scalability. At the same time, cloud security concerns are dwindling, as cloud providers have matured to provide more security in their own offerings and be more definitive about their customers’ security responsibilities. If you’re considering a move to the cloud, two of your first questions should be:
- 1. Does my business need security in the cloud?
- 2. What’s my responsibility?
The high-level answer to the first question is really straightforward: Basically, if your business has sensitive data, falls under a compliance mandate, wants to instill additional confidence in your customers, and/or wants to avoid a breach, security must be a foundational component of your cloud adoption process. For a more detailed answer, you need to consider how much of your business you’ll move to the cloud, where data will “live”, how vulnerable you are to attack, and other factors. Depending on those answers, you may need more/less security in different areas. For the second question, most cloud providers make it fairly clear. The cloud provider is typically responsible for everything below the hypervisor layer, while the operating system, application, data, network and activity within your cloud infrastructure falls under the responsibility of the application owner/business owner (you). I think the cloud provider though still has some responsibility to help you ensure the appropriate security posture. Some things I recommend you look for in a cloud provider:
- • What are their standard security offerings and what are the optional and/or third-party cloud security offerings that are certified to work on their environment?
- • Look into their certifications. Are their datacenters and/or staff security certified?
- • Do they provide services or is it just the infrastructure and where are companies such as yours going when they move to the cloud?
- • Do they provide visibility into their cloud? A good example of visibility is the AWS CloudTrail service recently released by Amazon Web Services that gives you the ability to trace all activity made through AWS APIs.
When it comes to security, not all clouds are created equal nor are all applications fit to work on every cloud. Determine your compliance and security requirements based on your application, your customers, your standards and risk of exposure as well as compliance mandates. Factor these decisions so that you can map out your path to the cloud – a path that lets you realize the benefits of scalable virtual infrastructure while maintain the security and compliance controls that protect your business.