Page 2 of 3
One of the first risks enterprises face when moving to the cloud are "rogue" cloud services set up by internal departments that were not sanctioned by IT.
"There is just a sense that departments can go around IT to adopt cloud services, particularly software-as-a-service, going around the IT organization and buying just about any service you wish," Ramsey says.
Consider, as a simple example, when a product development group may seek a collaboration program that would provide it the ability to exchange files, maintain version control, conduct group white boarding, and other collaborative functions among the team. The group requests the functionality from IT, and learns that it could take six months, or longer, to deploy. The team then starts to look immediately at cloud providers, and finds a SaaS solution that can be running immediately, and billed at a low operational expense.
While easy to make, such moves can place the enterprise at considerable risk. First, the platform may not be as secure as the IT team would require. Second, regulated or confidential information may start being collected off site and in a way that wouldn't pass a regulatory audit.
Experts say this is why it's crucial to help companies understand what risks exist in the cloud not only from a technical perspective, but from an operational perspective as well. "Any way solution providers can help organizations improve governance when it comes to cloud systems will be welcomed," says Ramsey. "
"They have to design their processes to make certain that security is included in the beginning, instead of at the end of any decision-making process. That can be as simple as requiring legal department, during their services sign-off process, to require a security evaluation of any service be contemplated," says Ramsey. "That way, security can get involved in the process early."
Those processes need to be in place whether a company is moving to a public cloud, or a private cloud that they will run themselves in-house or outsource to a services provider.
"If there's a regulatory control over the data that says that the organization can't manage certain types of data in a multitenant environment then a public cloud is out of the question," says George Reese, founder and CTO of cloud infrastructure management firm enStratus Networks. "It then becomes a question about whether they'll move that data to a private cloud model, or if it will stay in the existing data center," says Reese. "What aspects of the IT enterprise can move to cloud is one of the first decisions that needs be made," he says.
Then, when it comes to security, does the enterprise have the ability to keep the data secure, or at least ensure that the cloud service provider has the ability to -- and is -- doing so.
"What's interesting when discussing cloud security is that we are not talking about any new security concepts. We're talking about what we've always done with essential security practices," says Ken Biery, principal consultant, governance, risk, and compliance services at New York-based Verizon Business. "They still have to have good access control, maintain least privilege access, harden systems, effective change management, protection against malware, in addition to all of our other security controls, " says Biery.
The challenge becomes: how do customers replicate those controls that are in place in their traditional data center.