Evaluate Cloud Security Like Other Outsourced IT

By Susan Richardson, Manager/Content Strategy, Code42

Now that business cloud usage is ubiquitous, you’d think we could get past all the hype around cloud security, and just start treating the cloud like any other IT platform that needs a rigorous, well-rounded security strategy with appropriate access controls, encryption, you know the drill.

But as with any new technology (like those newfangled steam locomotives traveling at a record-breaking 15 mph that will almost certainly make it impossible for passengers to breathe), it takes awhile for reality to catch up with our fear of the unknown. So let’s take a deep breath, take off our doomsday-colored glasses and look at cloud security from a realistic perspective:

Security concerns are sensationalized

You can find plenty of surveys that say security is the top reason holding companies back from adopting cloud solutions. A Cloud Security Alliance (CSA) survey found it to be the top reason for a whopping 73% of unadopters. But those cloud Luddites only represent a tiny fraction of the overall business-computing universe. Most surveys put the holdout percentage between single digits and 15%, so 73% of those companies only represent about 11% of all businesses. Not exactly a headline-grabbing statistic. And, once a company adopts the cloud, those fears diminish over time, according to a RightScale study.

Your S&R team may be good, but it’s not that good

Even if you’re the most conscientious security and risk professional, with a talented staff and company leadership willing to invest adequately in security, your team simply can’t match the resources of the top cloud service providers (CSP). Is your data center secured with biometric scanning and advanced surveillance systems? Do your practices stand up to the stringent security requirements of certifications and accreditations such as SOC 1, SOC 2, PCI DSS, HIPAA, FERPA, FISMA and others?

At the 2014 Amazon Web Services (AWS) Summit, the company’s Senior Vice President Andy Jassy was quoted as saying that even with a substantial investment, the average company’s infrastructure is outdated by the time it’s completed.

“With on-prem, you’re going to spend a large amount of money building a relatively frozen platform and implementation that has the functionality that looks a lot like Amazon circa 2010,” Jassy said. “It will improve at a very expensive and slow rate vs. being on something like AWS that has much broader functionality, can deploy more people to keep iterating on your behalf, keep evolving and improving the technology and platform.”

Been there, done that

Forgetting some things from the 1990s is permissible. Dial-up modems and Furbies come to mind. But have we already forgotten all the data processing, servers and networks that we started outsourcing to third parties in the ‘90s? The trend has continued, with IT outsourcing budgets marking healthy increases over the past decade, according to a 2015 CIO Outsourcing Report by NashTech. The sooner we start treating the cloud as a viable form of outsourcing that requires appropriate security controls, the sooner we can all breath a little easier.