The use of the term “cloud” to describe global, offsite, computing and storage technology is apt for a number of reasons; not all of them good. The metaphor succeeds largely when people visualize their data hovering over their heads, no longer tied to a single location, and consequently easy to access from anywhere. But there are other parallels with actual meteorological clouds, specifically their soft, amorphous shape. This causes problems in perception and definition, which naturally lead to potential difficulties with security.
David Shearer, CEO of cyber, information, software and infrastructure security certification and education body (ISC)2, points out that the enthusiasm or pressure that companies feel to build their businesses quickly into the cloud can potentially lead to a fundamental weakness. “The easier it becomes to purchase cloud solutions,” he says, “the easier it is for organizations to get ahead of themselves. Business lines within a company can easily acquire cloud-based services, and the fast time to acquire and provision cloud services is extremely attractive. Any organization would be crazy not to take advantage of that.” Shearer points out, however, that when a company elects to leverage cloud solutions and services, management needs to be smart about it; and part of that includes proper and continuous security measures:
“As recently as a few years ago, security was looked at as a hindrance; something that got in the way. In these situations, sometimes bad things needed to happen for people to pay attention. In the C-suite, if nothing else, CEOs and CxOs are losing their jobs for a perceived lack of due diligence and lack of strategy to protect a corporation’s intellectual property or personally identifiable information – and that gets people’s attention. Increasingly, what is needed is better communication between those actually responsible for making security work, and the C-suite.”
In addition to the lack of clear comprehension of cloud in the executive office, there is also a similar disconnect throughout other levels of business.
Adam Gordon is an author, subject matter expert and instructor at (ISC)2. He illustrates a significant challenge to cloud security being the definition of cloud itself. “There’s a great interest in anything and everything cloud,” he says, “but the problem is, as individuals and as businesses, we don’t always understand what cloud means. As a result, there tends to be a gap, where consumption is a lead indicator and security is an afterthought.” It is ill-defined in many people’s minds, Gordon adds. “Many people look at it as a marketing slogan or a marketing solution, but they don’t really get it. As a result, I think one of the biggest issues that we face, as security professionals in the cloud, is the idea of how to create a common ground in terms of what it is we are talking about and how we will frame conversation around risk, liability, security, and things that go with that.”
Yet a third challenge to effective understanding of the cloud is the change of mindset needed, especially among managers and decision makers who spent their early years in the company of mainframes, dumb terminals and internal networks. For many, there is a pervasive, almost instinctive sense that data and computing systems are physically safer when they exist inside the actual walls of a company where they can be seen and touched. The notion of storing data on someone else’s computer somewhere in the world just does not feel right. The truth is that data is generally safer when transferred to the vaults of a cloud organization whose sole mandate is secure storage, but adherence to ideas from an earlier age is a very human attribute; one that never fully disappears.
Finally, there is the relatively new phenomenon of mobile employees who see their smart devices as their office, and who expect to use them at home, at work, and in public spaces like coffee shops and transit terminals, accessing Wi-Fi connections with little thought as to security. This soft, boundary-less setting has a direct parallel to actual clouds. Where, after all, does work-related security begin and end, when the device being used shares storage space and connectivity with personal files and pursuits? Adam Gordon worries that enabling individuals to work productively in these non-traditional environments with equally non-traditional capabilities and platforms opens up a collection of unknowns in terms of security and the individualized approach to data.
The softness of the cloud reinforces the need for a new type of security specialist; someone with the experience and wisdom to stay on top of a fast changing environment, and with the skills to communicate the necessary directives to the Executive as well as to the rest of the IT team. This is the reason behind the development of the CCSP designation. The cloud will only continue to grow in size and versatility. Successful usage must involve a sound and ongoing security strategy across all levels of operation.
For more on the CCSP certification from (ISC)2 please visit their website. Sponsored by (ISC)2.
By Steve Prentice
