Security in the Cloud – A Primer for IT Leaders
Last week, our Chief Technology Officer John Wondolowski announced in his latest blog post the exciting launch of our new enterprise IT security practice. We look forward to offer our capabilities to add value and bring peace of mind to all of our valued clients (especially in light of the recent security-related incidents involving prominent firms such as The Home Depot, Anthem, and Sony Pictures).
As CIOs and other key IT decision makers grapple with the “identity crisis” brought on by the rapid shift to/proliferation of cloud infrastructure solutions; as well as an evolving view of the strategic role of the IT department within an enterprise—we want to take this opportunity to dig a little deeper into cloud security and share with you what we’ve been seeing and hearing in the marketplace.
In the latest Cloud Survey Report, KPMG reported that data protection and concerns about potential breaches represent the biggest barrier for companies to fully embrace the cloud. Some of these fears and concerns are valid—and expected—given that cloud is such a new paradigm for the everyone in IT and has fundamentally changed the way IT departments are run. But there are also many unfounded fears—simply because some information and applications are no longer within the perimeter of a company’s own firewall. Here at CMI we believe that IT decision makers and information security leaders shouldn’t panic. They should embrace the cloud as a unique opportunity to dramatically improve the way the overall enterprise IT security is managed and ultimately delivered to end-users and customers.
In order to capitalize on this opportunity, client organizations need to rigorously assess their current on-premise environment (the status quo) and ask tough questions such as:how is user data being accessed and monitored? What’s working? What needs to be improved? What would the improved environment look like in the cloud? What’s the level of control you ultimately want to have? As the illustration below depicts, it is a shared responsibility and existing enterprise IT security best practices can and should remain.
Cloud infrastructure providers such as AWS and IBM SoftLayer offer data protection and regulatory compliance (HIPAA, PCI, etc.). Both have invested heavily inrecent years to cloud security —on the data protection side as well as on the regulatory compliance side as industry-specific organizations are subject to certifications/accreditations such as PCI, HIPAA, ITAR, etc. They work with their most security-conscious clients to build a security profile that would meet the security requirements of everyone on the platform. Brendan Hannigan of IBM’s Security Systems Division, stated in a recent interview, that “we have the ability to deliver virtualized cloud environments or bare metal cloud environments. The customer can choose to leverage security capabilities that are built into some of these functions or actually bring their own security functionality and extend from the enterprise into the cloud. We have now delivered composable services so that companies, as they’re developing applications, can connect with our identity as a service. This allows them to leverage APIs and just connect that application’s functionality. Another example is leveraging application security techniques and having them available in the cloud as well. They can be initiated in a cloud to test application components as they’re delivered.”
For AWS, they’ve not only devoted significant resources to Multi-Factor Authentication (MFA) products/services, but have also invested heavily in automation in common security practices; as well as ubiquitous encryption—providing more customer control over that encryption. AWS wants to ensure that “we give our customers tools to help them make good security decisions.” Furthermore, there are a number of great SaaS-based tools out in the marketplace that help companies enact policy-driven governance in the cloud and build effective business process approval workflows in the cloud—all designed to quash unauthorized use, waste, and the proliferation of “shadow IT.”
As seen with the recent breaches, no security strategy is 100% effective. Companies should work with a trusted and proven cloud security partner that offers solutions based on their specific needs. We believe that all of the controls that you would expect that a security practitioner would put in place from a best-practices perspective can be mapped to cloud environments. Everything from access to user monitoring, to visibility and data activity monitoring can all be extended into the cloud!
Here at CMI—our experienced security experts and cloud solutions architects can help you and your organizations become not only more agile in building out the IT infrastructure of the future, but also maintain industry-leading security that’s committed to data protection and regulatory compliance. We’re excited to continue our cloud journey with all of you here in 2015.
If you haven’t already, we encourage you to subscribe to CMI’s monthly ‘Cloud Tips’ email to see our key learnings and best practices in the cloud. Please fill out this form (hyperlink here) if you’d like to subscribe. Please also feel free to contact (hyperlink here) any one of us here at CMI if you’d like to continue the conversation and let us know how we can help your organization progress along the cloud journey!
Director, Regional Manager