For companies, cloud computing is a small revolution in how computing is viewed but also fresh cause for concern, in the same way as those infections that take root between your toes: they crop up, you treat them and you think they’ve disappeared, until they resurface a little while later...
For businesses, cloud computing applications are more or less the same thing as athlete’s foot or other fungi: employees sign up for cloud services on their own accord, without informing the security manager; in fact, the latter is deliberately left out of the loop: it wouldn’t do for them to go poking around in things that are none of their business.
if you can't see the video, click here to watch it on YouTube directly
According to Doug Toombs, Senior Analyst at Tier1 Research, this change must be supervised as it is now too late to stop it.
underlying motivation: quick to implement, documentation and costs
For corporate departments, improving productivity and flexibility is all about being more responsive when implementing the necessary resources and systems for achieving their objectives. For years (or even decades) now, IT departments have been imposing unrealistic deadlines combined with costs worthy of the most extravagant swindle.
Another reason is the fact that there is no equivalent of external cloud services within the company. Alternatively, those external services are simply better documented and clearer than their internal equivalents. Admittedly, some internal services are of good quality, but the documentation for them is often a bit scant, out of date or even virtually obsolete... and woe to anyone who speaks up and says what everybody is thinking anyway!
Before the arrival of the cloud, company departments were (pardon the expression) a little “incestuous.” Thanks to cloud computing, they now have a choice: IT departments will thus have to adapt and evolve, and security departments will, too.
a matter of fact, a trend that cannot be stopped
Signing up for cloud services is quick and easy: all you have to do is go to the website and enter your corporate credit card information. The most popular cloud services fall into the categories SaaS (Software as a Service), PaaS (Platform as a Service) or even IaaS (Infrastructure as a Service).
Rather than cutting off internet access (completely unrealistic) or filtering access to cloud services (when will we see a “cloud services providers” option in URL filtering systems?), the trend is more towards utilizing an increasing number of IT service providers. IT and security departments are thus obliged to keep up with this trend and monitor it if they want to maintain their status and continue to be respected.
prepare and be ready for the future
IT departments, assisted by security departments, must take a balanced view of things and provide guidance for their companies during this transition towards cloud computing.
Without wanting to rub anyone the wrong way, my opinion is that security departments are more used to “accompanying” projects than IT departments are. Using cloud services without thinking things through can indeed be dangerous for a company. There are two keywords here: conformity and continuity.
French companies that process data are required to ensure that that data remains secure and stays within the borders of the European Union (or within the territory of a country recognized as offering “sufficient protection”). Since not everyone is aware of these regulatory requirements (European Directive 95/46/EC), security departments have a legitimate role to play in steering a company (without trying to oppose it or necessarily seek to implement other solutions) towards a supplier capable of meeting this need to ensure data remains within a predetermined list of countries.
Similarly, it should be ensured that the service provider’s technical support teams are located in familiar countries. And it's not only the data that must be located in specific data centers - the persons accessing that data remotely must also be in known locations.
French law states that the end client must be informed when personal data concerning him is liable to leave the European zone (or a “recognized” country), and this must be set out in the service agreement.
Services such as PaaS for applications or to operate virtual machines in the cloud are often used because of the rapidity of their implementation, to meet occasional spikes in workload or to speed up developments or tests.
For each of these scenarios in which cloud services are used, it is essential to ensure that the activities in question can be shifted to a different supplier from the one originally selected (if the original supplier were to cease trading, for example).
Similarly, a company can begin a project using the cloud services of a third party and then ‘re-internalise’ the project to a private or community cloud.
If reversibility issues are not addressed and resolved during the initial phase of subscribing to the service, going back to them later may be prohibitively complicated and in some cases impossible.
In any event, it is important to ensure that data can be successfully recovered in a reusable format.
For IaaS, this is done by including the option of recovering full back-ups of the virtual machines involved (in a hypervisor-specific format or alternatively as OVF files).
The issue is not a new one with regard to PaaS – the statements recently exchanged between Google and Joyent (“Google Cloud Services Criticized by Jason Hoffman”, 21 August 2011) about Big Table are a good example of using standardised (or at least non-proprietary) techniques, to avoid the otherwise inevitable ”locked-in syndrome.”
flexibility and accompaniment
The ball is in the court of IT and security departments: cloud computing is here to stay and is set to become even more widespread, as it offers these departments the agility they need. The Japanese proverb “Snow never breaks the willow’s branches” is a good illustration of the behaviour to adopt: flexibility and accompaniment are the keys to a successful transition to cloud computing.
crédit photo : © raven - Fotolia.com
Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens