Alan Radding, Big4.com guest blogger
Your own book is the best way to build a consulting practice; ask me about ghostwriting your book
You can get a sense of the cloud security complexity challenge in the Deloitte Cloud Computing Risk Intelligence Map. In its own survey of CISO’s IBM found 86% of those surveyed say their organizations are now moving to cloud and of those three-fourths see their cloud security budget increasing over the next 3-5 years. Does that spell opportunity for you?
There is no doubt that better cloud security is needed. In a recent IBM CISO survey, 44% of security leaders said they expect a major cloud provider to suffer a significant security breach in the future; one that will drive a high percentage of customers to switch providers, not to mention the risks to their data and applications. Cloud security concerns have long been one of the biggest impediments to organizations moving more data, applications, and processes to the cloud. These fears are further complicated by the fact the IT managers feel that much the cloud providers do is beyond their control. An SLA only gets you so far.
Although cloud outages are much more common than major security breaches, they do occur. Sony probably is the most recognized. “We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network,” Sony said in a blog post by Sony at that time.
There is no magic bullet for solving the cloud security challenge, not magic software or hardware appliance that can be deployed or plugged in and be forgotten. But that’s what makes it such a potential opportunity for consultants. The basics are straightforward, just three steps. As IBM notes, all you have to do is:
- Guard and manage access
- Protect data and applications
- Enable easy visibility into the systems, applications, and data residing into the cloud.
Just three steps but far from simple. Cloud security presents to you and your clients a complex, multi-dimensional puzzle requiring different layers of integrated protection. It involves not only people, data, applications, and infrastructure but also mobility, on premise and off premise, structured, unstructured, and big data. This used to be called defense in depth, but with the cloud and mobility the industry rapidly is moving far beyond that. IBM introduced its own cloud security portfolio yesterday.
At the same time you and your client still need to guard against the common vulnerabilities both in the cloud and on premise. Again, as IBM pointed out recently:
- Absent, or poorly conceived, security design
- Too many users with the ability to circumvent controls
- Inadequate attention to Monitoring, Alerting, Reporting
- Inattention to the management and use of system services
- Excessive access to utilities that allow bypassing of security policies
- Shared resources between environments (such as Development, Test, and Production)
- Lax access controls allowing users elevated privileges
- Poor data management practices concerning access to data, copying of data and reuse of data
If there was a magic bullet it would be analytics and, more specifically, real-time analytics. In terms of security analytics you need to collect a wide range of information from operating systems and myriad point products, secure and mask data and systems, and perform vulnerability assessment in conjunction with rigorous auditing and reporting.
Of course, this will require an investment on your client’s part in tools and consulting services. This is where you have to put on your salesman hat and convince the client of not only the value of cloud computing in the first place but also of the importance of implementing real time intelligent security and analytics to protect their assets in the cloud. The CISOs in IBM latest survey expect to increase their budgets over the next 3-5 years to confront this situation. You want to be part of that action.