The Need to Adopt a Business Systems Approach to Cloud Security

tobias-fischer-PkbZahEG2Ng-unsplash

Posted: November 15, 2016 | By: Larry Clinton

Joni Mitchell’s beautiful lament from forty-five years ago is timely today as an apt description of the unspoken truth of many enterprise managers who have put their corporate IP and other data “in the cloud.”

“I’ve looked at clouds from both sides now. From up and down and still somehow, Its clouds illusions I recall, I really don’t know clouds, at all.”
“Both Sides Now” — Joni Mitchell

What could be a better explanation for the stunning finding of the 2011 PricewaterhouseCoopers Global Information Security Survey which found that 62% of the information security experts polled had “little or no faith in the security of the cloud” – including 49% who had already put their information there? [1]

One major reason for this remarkable finding maybe that right now many enterprises are not looking at cloud computing from “both sides,” but rather only the “up” side of such a deployment and not fully appreciating the “down” side.

The result is that cloud deployments may provide the illusion that they are as “solutions” to an enterprise’s IT issues. They are not. Cloud deployments, which in many cases may be wise and even necessary options, are tactics that must be understood and analyzed from a full business systems perspective. In short, we need to look at clouds from both sides, now.

The Digital Imperative to Reduce Security

What could prompt presumably reasonable and competent corporate managers to knowingly place their corporate data in a place where they have little or no faith in its security?

Money.

Of course making money is the primary job of most enterprises. Moreover, the pressure on enterprises to be efficient and profitable is only magnified by the increasingly competitive world economy.

By now virtually every enterprise of even moderate size has plowed into its business plan the efficiencies and growth opportunities related to digitalization such as improved product and personnel tracking, remote workforces or web based marketing. However, many organizations still fail to account for the downside of the digital revolution – cyber security.

In fact, despite seemingly continuous reports of more, and more severe, cyber attacks recent surveys have documented that many – perhaps most – enterprises have been deferring or reducing their investments in cyber security in recent years. [2]

The tradeoff between efficiency and economy benefits of digitalization at the cost of security considerations is not a phenomenon confined to the emergence of cloud computing.

For example, deploying unified communications (UC) platforms such as the Voice over Internet Protocol (VoIP) yield substantial cost savings but “while unified communications offer a compelling business case, the strength of the UC solutions in leveraging the internet is also vulnerability. Not only are UC solutions exposed to the security vulnerabilities and risk that the Internet presents, but the availability and relative youth of UC solutions encouraged malicious actors to develop and launch new types of attacks.” [3]

In addition business strategies that optimize customer intimacy and supply chains require companies to connect to vendor and customer networks. While tighter integration with business partners provide clear business benefits, it also means the ability to defend against attacks depends on your partner’s or customer’s security capabilities and policies.

As CIO Magazine reported when analyzing the 8th annual PricewaterhouseCoopers Global survey “customers want to spend their money on-line and use more fancy apps to do it…So you have to guard against vulnerabilities attackers can exploit to steal your customer’s private data and core assets….Increasingly complex business relationships are forcing you to give outsiders access to your internal systems. You need protection from an attack against a business partner that might spill over to your network. [4]

A similar issue arises with respect to cloud computing. By now the efficiency and economy benefits of cloud options are well known. You pay only for what you need, potential cost savings within your own IT department, computer time takes the path of long distance telephone service (free computer time for everyone), new business models emerge and venture capital assumptions change since there is less capital upfront costs for computing!

Just like VoIP a few years ago and the ongoing extension of IT supply chains, cloud computing has emerged as one of the hottest developments in information technology, largely driven by perceived economic benefits ranging from cost savings and efficiencies. [5] And like the VoIP deployment and extended network relationships, security may be undermined because of competitive pressures driving these cost efficient strategies.

The security issues inherent in moving to the cloud have also been abundantly debated – at least in IT circles. As with any large issue broad generalities are questionable. At least for some, such as many small and mid-sized firms that were not spending substantially on their own security, movement to the cloud may well enhance security by providing them access to systems and personnel they could not previously afford.

Regardless of the pro-security arguments of cloud advocates, the current consensus is to be wary of security in the cloud. Although cloud services may seem fairly straight forward to the user, they are actually fairly complex relationships not only between the client and the vendor, but possibly several different vendors. Applications that had previously been managed from behind a corporate firewall may now be exposed over the Internet and out of the control of the data owner. Indeed, determining exactly where your data is may be quite difficult in a cloud configuration raising new and as yet unanswered problems not only for data owners but for regulators and law enforcement.

So called “insider threats” are also more challenging since rogue subscribers can buy their way into the cloud and launch their attacks with a level of system access that would have been prevented in traditional models. This possibility leads cloud providers to resist sharing details about their security and privacy procedures thus making it more difficult to receive the the security assurances that an organization might require from a traditional IT provider.

Perhaps it is not surprising that even the US federal government driven by its own increasingly demanding financial requirements, has announced a “cloud first” policy targeting a full quarter of federal IT spending – 20 billion dollars – for migrating to cloud computing solutions while acknowledging, but not resolving, the security issues. [6]

Want to find out more about this topic?

Request a FREE Technical Inquiry!