The consumerisation of IT has brought many changes, and with it the proliferation of cloud computing - but what does that mean for us as security professionals?
Firstly, let’s address what we mean by the cloud. Put in its simplest terms, the move to the “cloud” is a change in service model. Moving from using your own (or rented) equipment that you can see and touch to paying for a service that delivers the desired experience.
In a more traditional computing environment, you would buy servers, install operating systems, configure services and let users connect to these services. You would run all this equipment from expensive data centres that are designed to provide power and connectivity day and night, and would pay a small army of staff to keep all this running. In this model you know exactly what hardware you bought, which operating system it's running, how it’s configured and where it all is, and you gain a high level of comfort and assurance from all that.
However, it is easy to see that once you have invested in a vast infrastructure, the economies of scale come into play. Companies like Microsoft and Google were among the first to offer "Cloud Services" to consumers by delivering their own email experience. Users got an email address and could access it anywhere in the world through a web browser. Until that point, personal email was either provided by your employer or by some internet service providers -usually at a cost.
The cloud model
In the cloud model, users would not know which server in which data centre on which continent is delivering their service, they only care that it is delivered to their expectations (this is usually expectations of speed, availability and capability). In a cloud model, you wouldn’t care what computer, operating system or application delivers the end experience, you just care about receiving the service.
So the cloud service model was born. And as time has gone on, more and more companies are offering services. Most consumers use a good number of them. Today, cloud computing delivers your personal email, social networking, hosts your web site, enables videoconferencing, synchronizes your phone, tablet and computer and backs up your data.
Today's biggest cloud providers include Microsoft, Google, Amazon, Facebook, Twitter, Apple, WordPress, Dropbox, Carbonite, Symantec and Salesforce. What is surprising is that even companies as large as Microsoft recognize that their future lies in a service oriented model and that their transition to becoming a cloud provider is essential for their survival.
For businesses and consumers alike, the move to a service oriented model holds many benefits, including cost, scale, and resilience.
What about the risks?
With the changes in how we acquire and deliver IT services comes a change in the risks we face. Some of these risks are "Who has right of access to my data if your company fails?", "How do you assure availability against Denial of Service attacks?" and just as importantly, "In which countries do you operate, and where will my data be hosted?"
This brings with it one of the largest changes in risk to our business - legal jurisdiction. Most cloud providers operate a global business. They do this to balance the load on their resources, and deliver services quickly to customers around the world, improving user experience. However, while this sound like great news for consumers, this is not always so great for companies who need assurances for compliance reasons that their data is held in the same country as the company operates.
Recently, we have seen the development of hybrid environments, so-called “private clouds”, which couple the benefits of owning the data centre (such as, assurance and control of where your data is – which is important for legal compliance) with the cost and scalability benefits of the service driven model.
So what does all of this mean for the security profession?
Solutions delivered in a cloud model are typically sold "off-the-shelf". This means that providers are usually not able to uniquely customize and tailor solutions for each customer in the same manner as a traditional in-house deployed solution. So as security professionals we need to better integrate with our commercial and procurement teams so that our organisation is ready to ask the right questions from the very beginning. And we need to have strong assurance and audit teams in place to make sure we are getting what we bought in the first place, and that it is actually delivering the control and assurances that the business needs.
As security professionals, we need to learn new skills, and how to change and adapt to a shifting landscape. We need to work ever more closely with commercial and legal teams integrating into the process of procurement and contract negotiation rather than just focusing on our technical skills and abilities.
It’s a brave new world where we still have a critical role to play - that of enabling and securing the business in a world changing at pace.