Security concerns are a common objection to cloud computing, and it’s a perfectly valid initial response. After all, why should someone trust shared pools of computing resources, particularly when they’re outside the organization’s control, with sensitive applications and data that could expose them to financial losses, embarrassment, damaged customer relations, lawsuits, or all of the above?
First, it’s worth reiterating the strategic business value that’s driving your consideration of Agile IT operating models and cloud in the first place. If your audience doesn’t at least appreciate the end goals and benefits, it’s going to be even harder to overcome objections. If these solutions weren’t capable of addressing some chronic and very painful enterprise IT problems (which I won’t dive into here, but you can read about elsewhere in this blog), then the IT industry wouldn’t be investing vast sums to make secure enterprise cloud computing a reality, and you wouldn’t be trying to argue for it.
Second, you should provide some context regarding the type of cloud you are considering and the sensitivity of the workloads you’re deploying. There’s a broad range of cloud tradeoffs you can make to lower your risk/security exposure in exchange for partial sacrifices in economic and agility benefits. For example, some organizations setup their first external private clouds at their current hosting providers with dedicated hardware in a locked cage using an existing dedicated network link. The point is that you can take an approach to start conservatively and build trust and experience over time as you’d like.
Knowledge is the best cure for fear, and many enterprises are struggling with a big gap in cloud security knowledge. That said, there’s only so much “security knowledge” that your typical IT exec, let alone a business exec, has the patience or technical chops to absorb. If you (or your vendor and/or services partner) can explain how others have established trust in cloud deployments via real world examples and use cases, particularly in the same industry, that’s very beneficial.
Ultimately however, if you’re dealing with an enterprise cloud project, it’s very likely you’ll need to pass approval of an in-house security group. The rubber meets the road here. These folks typically understand that owning and controlling IT infrastructure doesn’t necessarily mean it’s inherently more secure. In fact, many times cloud security capabilities extend beyond what corporate IT has been able to implement in-house. That’s actually to be expected, because in the cloud you’re dealing with IT assets that are mostly virtual instead of physical, and with security boundaries that move with the workload instead of remaining static. That, in turn, requires greater use of technologies for automated security policy enforcement and centralized governance among others.
In-house security teams look at more than just technologies such as VPNs, encrypted data storage, key management, HIDs, AV, virtual firewalls, backup and recovery technologies, federated identify management, policy management, etc. That’s certainly important, but they’ll also cover topics like integration with internal approval processes, auditing capabilities, monitoring and alerts, and regulatory compliance. Security technologies may vary for different workloads or environments, but getting alignment to internal processes and procedures is important across the board.
Approval from this group is invaluable, because fully embracing the cloud gets down to trust, and the best representation of that trust is when the enterprise security team says you can treat your cloud implementation as a peer equivalent to deploying it in your in-house data center. At that point, most security objections will melt away.
At ServiceMesh, we’ve hired some of the best security experts in the business who have secured global financial data centers and other extremely demanding enterprise IT environments. We’re very comfortably collaborating with other enterprise security experts. You don’t want security misunderstandings and stereotypes to stymie cloud projects, or drive bad investment decisions. To avoid that, work with a partner experienced with secure enterprise cloud deployments so you can maximize the trust, agility, and economic benefits of your project.
Latest Tweets
