After my previous blog post about Amazon Web Services, a few people nervously asked me about cloud security. Can we really trust our data to a public cloud?
I suspect the anxiety many IT people feel about cloud computing is related more to job security than data security. Cloud poses an existential threat to the IT department, particularly the support teams who run data centers, rack servers, and monitor networks. They work hard 24x7, but they can’t compete with big cloud providers on speed, scale, elasticity, or cost.
So, in desperation, data center techies beg their information security brethren to throw them a lifeline. Surely you can stop this cloud madness! It’s not secure, right?
The security people are sympathetic. Moving data and applications to a public cloud means losing some control, and that’s scary. Many cloud risks are real. But the cold reality is most corporate data centers operate less securely than Amazon, Google, IBM, or Microsoft clouds.
Some corporate data centers will be swept away in the cloud wave. You can stand against the tsunami and drown, or you can move to higher ground and see the big picture.
First learn to recognize how IT organizations go through predictable stages of cloud grief:
1. Denial: Belittle cloud computing as unreal (“clouds are vapor”) that couldn’t possible replace the corporate data center because it’s so unique (“we have special requirements”) while ignoring business end-runs (“shadow IT”).
2. Anger: Push back using strident fear-mongering (“we’ll get breached”) or counterarguments (“hidden costs make cloud pricier than on-prem”) that aren’t supported by facts.
3. Bargaining: Propose far-fetched alternatives (“we can build a private cloud that’s just as good”) or half measures (“we’ll allow limited SaaS but no IaaS or PaaS”).
4. Depression: Low morale and attrition as realization dawns that the cloud is going to displace the data center over time, a process that probably began already years ago (see Denial).
5. Acceptance: Reconfigure and retool to support cloud computing, shedding some IT jobs with glass house skills, while adding others.
An IT professional who recognizes the stages of cloud grief can keep a cool head. While others panic, you can help the business choose reputable cloud providers who bake security in, patch maniacally, log everything, and operate transparently. Partner with them to implement encryption, monitoring, CASB, SSO, IAM, SIEM, and other controls as needed.
Focus on securing the cloud, not fighting it.
Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.