For organizations of all sizes, in 2014 the cloud emerged as a critical part of the default consideration set when implementing any new application – in large part due to the cloud’s proven ability to handle data storage and processing demands in an elastic manner, improved verifiable standards around data security and service reliability, and lower overall total-cost-of-ownership.
As we move into the New Year, below are eight big-picture trends in cloud computing for 2015.
Cloudy days ahead. Despite the continued incidence of cyber threats and attacks – including the latest against Sony – the market remains optimistic towards the cloud, especially as companies grow and economies scale. Applications spanning HR, sales automation, and governance, risk and compliance (GRC) will become even more widely adopted in the cloud in 2015, a view shared by independent technology and market research company Forrester Research. There is a robust and rapidly growing cloud subscription market, and organizations are continuing to take advantage of pay-as-you-go models, a new norm in the cloud world.
Organizations are continuing to put more and more data in the cloud. With so much critical and sensitive data all in one place, comes increased risk. Some still remain skeptical as to whether existing cloud safeguards are adequate and sufficient. But rest assured – in 2015, we will see unprecedented resources and brainpower used to further strengthen and secure the cloud. While we may see more cyber threats and successful attacks, we will also see the industry rally in response, united by its mission to build bulletproof organizations, and with it, bulletproof clouds.
Big cloud and data storage players such as Amazon and IBM have thought about information security from the ground up. This includes everything from the staff, training programs, tools and processes that are needed to run truly world-class cloud and data storage centers. Today, strong information security programs are paramount for every organization and every industry, but even more so for banks and financial services institutions who face increasingly stringent compliance requirements and scrutiny from the regulators. Banks and financial services institutions have led the way when it comes to building out centers of information security excellence, and they are well on their way to ensure that all of the proactive and remedial measures are in place to protect against information security threats today and into the future. We will see similar stringent norms being adopted by other industries too, particularly those with large exposures to customer data and multiple customer touch points. The usage and integration of newer technology trends such as mobility, big data and real-time computing will also be brought into the information security paradigm in order to make it more robust and fool proof.
Broadly speaking, there are insufficient industry standards when it comes to baseline information security. In large part, across industries, everything remains fragmented, and organizations are focused on issues of the moment, such as information leaks, or privacy breaches, rather than bigger picture risks. We need to see organizations and industries get past their current challenges and think more proactively about the future. Cloud vendors, in particular, have realized the need for greater industry standardization when it comes to information security, and the Cloud Security Alliance, and ISO will likely spearhead continued developments in this regard.
It’s a short step from a review to an audit. IT organizations will continue to ask, on a more frequent basis, for a review of their cloud accounts, what information security incidents have occurred, and how they were addressed. Similar to an audit, handling information security incidents requires visibility and transparency. Let’s say a company has put its entire Enterprise Resource Planning (ERP) in the cloud. Each known information security risk for each operation must be classified by its criticality, which then drives the frequency of the review. There will also be more frequent and random spot checks, just like audits. The IT organization will be on the sharp lookout to ensure their cloud providers are able to proactively identify, assess and mitigate risks.
Currently, cloud providers offer a set of accounts to a company, who then distributes the accounts to its employees. Companies are increasingly asking their cloud providers for more data about their cloud accounts, such as who is using these accounts, and in what capacity. Due to several recent high-profile cases, we will continue to see greater scrutiny around which employees have access to these cloud accounts. Critical questions are also being asked, such as: if an employee is no longer with the company, either through termination or change of roles, whose responsibility is it to ensure their account is immediately terminated? In 2015, we will see more robust segregation of duties, greater assurance regarding the rights to use an application in the cloud, as well as new restrictions around employee access to data and applications operating on a “need to know” basis. We will also see more real-time access management, dynamic rights allocations and revocations, and other such features playing a bigger role to ensure the sacrosanct of information.
Automatic robots are continually testing applications for availability and performance. In the same way, once security testing is added to the robots’ protocol, this becomes an important new metric for management, who are asking for trending heat maps with green, yellow and red assurances for security, just like they are used to seeing for availability or performance. In 2015, automation will continue to change how we test for information security — testing that was previously done on an ad hoc basis will become more systematic and automatic. “Pen testing” (penetration testing), which consists of programming a hacker to break into an application, is done infrequently, but I predict there will be more automated frameworks to “hack my app” in the coming year. The most sophisticated and security-aware companies will want to frequently bombard their cloud systems, and they will ask for contractual agreements that permit ongoing and real-time information security testing.
Mobility, cloud computing, social media and Big Data have become central to a company’s competitive advantage. As such, we will continue to see greater prominence of organizational positions that are related to and connected with the organization’s data. More and more companies are creating a Chief Data Officer role, with the actual title depending on the company and the industry. This position will work hand-in-hand with other key C-level roles, including the Chief Risk Officer, the Chief Compliance Officer, and the Chief Digital Officer.
By Vidya Phalke
