These Apocalyptic Assessments Of Cloud Security Readiness Are Irrelevant…
There are voices raging in my head thanks to the battling angel and devil sitting on my shoulders.
These voices echo the security-focused protagonist and antagonist perspectives of Cloud Computing adoption.
The devil urges immediate adoption and suggests the Cloud is as (in)secure as it needs to be while still providing value.
The angel maintains that the Cloud, whilst a delightful place to vacation, is ready only for those who are pure of heart and traffic in non-sensitive, non-mission-critical data.
To whom do I (or we) listen?
The answer is a measured and practical one that we know already because we’ve given it many times before.
Is the Cloud Secure? That’s a silly question. Is the Cloud “secure enough” is really the question that should be asked, and of course, the answer is entirely contextual.
My co-worker, James Urquhart, wrote a great post today in which he summarized quite a few healthy debates that are good for Cloud Computing as they encourage discourse and debate. One of them relates to the difference between the consumer and small/midsize business versus enterprise as it relates to Cloud adoption. This is quite relevant to my point about “context” above, so for the purpose of this discussion, I’m referring to the enterprise.
To wit, enterprises aren’t as dumb as (we) vendors want them to be; they seize opportunity as it befits them and most times apply a reasonable amount of due care, diligence and evaluation before they leap headlong into course corrections offered by magical disruptive innovation. There are market dynamics at play that are predictable and yet so many times we collectively gasp at the patterns of behaviors of technology adoption as though we’ve never witnessed them before.
Cloud is no different in that regard. See my post regarding this behavior titled “Most CIO’s Not Sold On Cloud? Good, They Shouldn’t Be.”
When I see commentary from CEO’s of leading security companies (such as RSA’s Art Coviello and even my own, John Chambers) that highlight security as an enormous concern in Cloud, I urge people to reflect back on any of the major shifts they’ve seen in IT the last 15 years and consider which shoulder-chirper they listened to and why.
Suggesting that enterprises aren’t already conscious of what the Cloud means to their operational and security models is intellectually dishonest, really.
We’ve all seen convenience, agility and economics stomp all over security before and here’s how this movie will play out:
Cloud will reach a critical mass wherein the technology and operational models mature to a good-enough point, enough time passes without a significant number of material breaches or outages that disrupt confidence and then it becomes “accepted.” Security, based upon how, where, why and when we invest will always play catch-up. How much depends on how good a job we do to push the agenda.
The reality is that broad warnings about security in the Cloud are fine; they help remind and reinforce the fact that we need to do better, and quite frankly, I think we are. So we can either chirp about how bad things are, or we can do something about it.
The good news is that even with the froth and churn, there is such a groundswell of activity by many groups (like the Cloud Security Alliance and the Jericho Forum) that we’re seeing an unprecedented attempt by both suppliers and consumers to do a better job of baking security in earlier. The problem is that many people can’t see the forest for the trees; expectations of how quickly things can change are distorted and so everything appears to be an instant failure. That’s sad.
Of course Cloud Security is not perfect, but in measure, the dialog, push for standards and recognition of need (as well as many roadmapped solutions I’m privy to) shows me that our overall response is a heck of a lot better that I’ve seen it in the past.
We’re certainly still playing catch up on the technology front and working toward better ways of dealing with instantiating business process on top of it all, but I’m quite optimistic that we’re compressing the timeframe of defining and ultimately delivering improved security capabilities in Cloud computing.
In the meantime, the compelling market forces of Cloud continue to steamroll onward, and so these apocalyptic assessments of Cloud Security readiness are irrelevant as we continue to see companies large and small utilize Cloud Computing to do things faster, better, more efficiently, cost effectively and with a level of security that meets their needs, which in the end is all that matters.
At the same point — and this is where the devil will prove out in the details — execution is what matters.
/Hoff
In the end it is all predictable, isn't it? Companies will integrate Cloud strategies and manage security to that 'good-enough' level. CapEx/OpEx/Bottom-Line cost are king. Initial adoption will be with those parts of the business that can survive with current security capabilities and provide a superior cost model. As you said, Contextual.
Longer term Cloud will force new thinking on software architecture to ensure availability and resilience in the face of single infrastructure failures. Guess what? Enhanced Cloud security will be part of that new software architecture.
But for now I suspect many of today's early Cloud adopters are still adjusting to Cloud thinking and as such opening security holes. Maybe that is the more important issue.
Good and sensible post, Hoff.
Thanks,
Sridhar
+1. Excellent. In the future, I'll just point people to this post, and say, "Talk to the hand. This conversation is long since over." 😉
I was wondering where you got the picture of the devil and angel on the man's shoulders. Is it in the public domain? Thank you. Linda