If Cloud adoption from a business perspective was easy, this blog wouldn’t exist. Nor would the thousands of other tireless folks working on helping advance cloud standards from compliance to security to data and resource integrity. But when these businesses who do bravely go into the new cloud world, if it’s anything less than perfect, they face criticism from the entire IT community. Is this why we are seeing a resistance to move to cloud for many organizations? And what does this mean for the future of the cloud industry?
I’m not stating anything new when I say one of the biggest hurdles to cloud adoption has always been security. Cloud is complex enough from a business transformation perspectivem, but the minute you start getting into the security aspect the learning curve seems to spike. Why is this?
One thought is that the availability of security professionals who can comprehend the abstraction that comes from securing virtualized/cloud environments simply doesn’t meet the demand.
When I wrote the Cloud Computing Security Knowledge certification (CCSK) 2 years or so ago, the Cloud Security Alliance was still a fledgling organization. The overall response from the security industry seemed to be “with virtualization, they can hack into a shoebox, there’s no real threat that wouldn’t be covered by traditional security.”
While to some extent I can see where this rationality comes from, the reality is that the minute you remove the hardware from everything (as is in the case of virtualization), those controls really don’t help too much.
My favorite analogy of this problem is that traditional security and cloud/virtualization security are two vastly different things. It’s like the difference between the GRID and the real world in TRON:Legacy (yes, the Disney movie). What controls and affects entities in one doesn’t necessarily have any bearing on the other.
So getting back to the problem of early cloud adoption: If organizations are required to be experts at all things security when they adopt cloud, despite the fact that these controls are still somewhat in development (at least from a standardized methodology perspective), how can we be so critical of these folks who are trying to help figure out what works and what doesn’t?
Case in point: NASA has been a big proponent of the OpenStack movement. An article came out this morning calling out the issues of security they face with their cloud deployment model.
The answer? President Barack Obama called for measures to beef up cybersecurity measures for all agencies. It’s like saying “hey, make that product better and cheaper”, but keeping in mind that there is still significant influence over all these organizations through entities like the NSA.
This just doesn’t work. Organizations are terrified of getting called out, just like they are afraid of being the latest victims of privacy breaches. Telling them “You’re not doing a good enough job” isn’t going to help unless there is significant funding invested in building the companies who can specifically address these issues. Yes, I know there are such entities, but it is still so piecemeal with everyone touting how they are the best choice. Again, all we are doing is causing complexity and distraction from the real problem: education on cloud and cybersecurity around it.
But all is not grim and bleak. There are so many great entities out there trying to solve this problem. From the creation of new Cloud compliance standards like ISO/IEC 27017 and the tireless work of researchers and volunteers associated with causes like the Cloud Security Alliance (I was happy to be an earlier research lead myself on the topic of SIEM in virtualized environments),
This folks, is where the standards and best practices need to come from. The problem is that the consistent pressure on organizatons to create their own virtualized/cloud environments is often too great so it becomes the path of least resistance: the adoption of public cloud models which may or may not be the right decision.
Cloud is still in early stages, and while it is tempting to say “let’s leave it to them to host and manage for us” in many cases, keep in mind, no one said these cloud providers are any better than NASA was in figuring out how to make this all work. Some indeed may have better controls in place, but as the latest NSA revelations are illustrating, even cloud providers have their issues when it comes to protecting your corporate assets.
And for these brave early adopters: Let’s cut them some slack.