Keeping Security Relevant - From Control to Governance in the Cloud

On today's Converged Cloud chat (Twitter hashtag #ConvCloud) we touched on what I think is a sore subject for many of the Information Security professionals in organizations where cloud computing is becoming more than just a whisper in the hallways.  When someone mentions public cloud you can quickly see the polarizing effects that the topic has on someone with an information security role - because most of the folks that responded on Twitter (and yes, I know this is a small representative sample) had a very negative reaction to the idea of putting anything corporate in the public cloud.  What does that mean for the future of information security and risk management practices in the corporate world?

Look, we already know that businesses will go to cloud computing or utility computing or compute as a service - what ever you call it - whether IT fully embraces it or not based on business need.  The big question is whether the hard push-back from IT Security groups is causing any more of a rift in the business - security relationship than we had previously.  In my opinion, there is a very real chance it could, yes.  At the heart of the issue is the potential de-valuation of Information Security at the core of the business as a result of 'not getting it' when it comes to cloud computing.

Cloud computing is still such a nebulous term, but basically what we're talking about is a virtualized, elastic, shared infrastructure environments where security is not under your control, but rather under the control of the provider.  What I think collapses down to is the questions of choice, consistency and confidence.  Let me explain why these are relevant, and then wrap with why I think Information Security professionals need to wake up, or find themselves on the outside looking in.

• Choice - choice means having the ability to choose providers, services, and infrastructures without having to re-engineer your entire platform.  In order to have choice you need to first standardize on a platform which is uniformly implemented and used across multiple providers and is able to be implemented internally on your private cloud as needed.  Choice means being able to move your workload from public cloud A to public cloud B without any heartburn or re-engineering, re-architecture, or re-development.  Minimal disruption to business ... for Information Security professionals minimal disruption means that security policies and configurations move with the workload or virtual machine.  Remember Information Security brethren that even though you no longer control the security of the public cloud, you will govern the policies that move with the workload and can have assurance that they're being implemented appropriately through your relationship with the vendor.
• Consistency - You can't get choice without consistency, and you can't get good security, or minimize risks, without consistency either.  Consistency is all about how you approach these converged cloud environments where your public and private clouds collide, and the only way to be even reasonably assured of their security posture is to have consistency across the environment space, public and private.  Remember, when you have an environment you directly control collide directly with an environment you do not control - governance is the only way to have any reasonable assurance of 'security'.  Consistency across both environments, or multiple environments - such as standardizing on OpenStack - means that you can have portability of workloads AND security policies.
• Confidence - Here we are at the heart of it all.  The business wants confidence in the cloud they're buying into, and is ability to perform.  Security is just one small component of that overall confidence - but if you're a member of information security this is your entire world.  Confidence to many folks in Information Security means being able to have control ...and control simply doesn't exist in the way we traditionally think of it anymore, nor does it make sense!  Confidence requires that you have levels of assurance from your providers and that you have a way to verify those levels of assurance - but you probably won't be able to touch the technical controls that make those levels of assurance possible.  This is a key issue.

What's critical and important is that security professionals must pull themselves away from the need to have direct, hands-in control over every aspect of the security of their business.  In fact, I would intelligently argue that this was a myth to begin with, but perhaps we've not seen it that way.

Security using traditional thinking and outdated control-centric security mentality is going to push us back to the days of "no" when IT (or security more accurately) was known for the constant stream of "no" in rely to business need.  Over time the business learned to simply ignore that no and do it anyway and then force security to compensate around the execution ... I feel like we're headed there right now.  Business is going to do cloud, public and private, whether we approve it or not because it's good for business. Cloud computing helps reduce costs, get to market faster, and be more agile in strategy - and when all is said and done this is how a business makes money and thrives.  Security teams have two options.  The first is to adopt a governance and risk-based strategy and form an advisory relationship with the business which helps minimize risks of bad public clouds which don't provide choice, consistency and confidence - or Information Security can simply become de-valued (again) and fade into irrelevance.

It's going to happen, one way or the other.  Not to sound too cheesy, but the choice is yours if you're in an information security capacity today - you can either adapt or fade away.  I have confidence, and to be fair I am already seeing a lot of this, that the better, broader thinkers will adapt and move on and the rest will be relegated to ... I don't know, something less meaningful I suspect.