Back in January Christian Verstraete and I did a tandem post on an article we had read and thought was a bit ridiculous and was over-selling the whole of cloud computing. Now, back then we just decided to put to rest the misconceptions that the article we were addressing was representing so this time around we're going to write up a few reasons (from each our own perspectives) on ways that it does make sense to 'sell' cloud computing to your senior management. Now, Christian's a smart guy and he looks at things from a senior management perspective, namely from the eyes of the CIO - but my viewpoint is slightly different and rather from the CISO perspective.
It's one thing for a CISO to advise senior management on the threats and technical risks of a cloud strategy - but it's another thing entirely to hear a CISO talk about and try to convince senior management of the benefits of a cloud strategy. Because Christian and I talked about our perspectives beforehand we knew the things we each feel strongly about so I'm going to add on to some of his perspective and throw in a few things of my own for good measure. For the record, I think there has never been a better time for an organization to get into cloud computing ... as the industry matures from something only the cool kids got on board with to a computing paradigm that provides advantages to nearly every type of organization we come to realize we need to get on board or get left behind.
So here we go, matching up with Christian's post here are the real advantages of cloud computing from an Information Security perspective.
Agility & Responsiveness
Information Security has long been accused of slowing down the business process. Whether it's releasing an application that's vital to the business, standing up new servers to support a rollout of services, or provisioning access for a critical new employee - security has long been complained about as the component that makes everything else slow. When we think about cloud computing we can think of security as getting a bit of a gentle push, or shove in some cases. Because of the way that components are built and billed as 'services' instead of individual components, and with the increased emphasis on automation - security has real chance of not being the roadblock.
Since traditional IT has always bolted on security (and I hate that term as much as you do) the security folks were always last to the party and always had a reason why everyone should stop and rethink. Cloud computing, and perhaps more accurately, elastic virtual computing gives us the ability to architect and build security in once and then have that capability templated from there on. This wasn't easily done before - it was possible, but it wasn't easily done. Through service templates, reusable virtual machines, and other capabilities we can simply drag-and-drop our virtual compute environments on a digital whiteboard and by use of pre-built templates the back-end system does the work - no speed bumps or last-minute 'whoopses' needed ... usually.
Productivity arguably shoots through the roof when non-IT people can provision and de-provision their own compute resources according to pre-set policy. When the bottleneck of over-worked IT is removed, automation can make sweet symphony in your data centers (or in the 'cloud') where projects no longer wait weeks for hardware to be requisitioned and set up ... now they wait minutes to get a virtual console!
I'm thrilled to say that I've witnessed situations where security just gets out of the way and really cool things happen. When there isn't the ability for everyone to make changes, or tweak buttons or have servers under their desk security teams can get away from being police officers of the enterprise and increase their productivity while actually doing interesting things with their time. The rest of the enterprise workforce benefits by not having security looking over their shoulders and messing with their productivity. Templates are wonderful, and service catalogs are the best things since sliced bread, believe me.
At the forefront of what cloud computing gives us is innovation. Enabling innovation is key, and doing that without some sort of black magic can be tricky. Letting your staff be their creative selves isn't easy to do with security in mind, but if you scroll up a bit you'll realize that I've already set up innovation through increased productivity. When security is built-into the IT fabric ideas can flourish in their technical incubators. Think about the capability to bring up and tear down virtual compute environments, and to play with massive data sets (don't look now, but I'm hinting at "Big Data" here!) all while not having to worry about whether you've applied the right security controls because the answer is a consistent "yes".
Innovation can live and die by flexibility, and flexibility is enabled through smart security which is not 'bolted onto' projects and infrastructures at every turn. Cloud computing doesn't guarantee we're going to do security right, but it gives us a great new opportunity ...should we choose to take advantage of it.
No one wants to work on dinosaur technologies. Having a cloud strategy makes your organization attractive from a talent perspective because it demonstrates a vision into the future. Security folks are showing interest in cloud computing at a rapid clip - so this means that if you want to attract and retain top Information Security talent you need to be thinking cloud. I don't want to mislead you into thinking that I believe that a primary reason to rush into cloud computing is to retain your staff - because it's only a secondary benefit. Having a cloud strategy, and a security strategy around cloud adoptions, demonstrates willingness to move into the future and adapt new technologies. Employees like new and cool, I think I can safely end that discussion here.
Faster Decision Making
You know what's really cool? Increased agility for your business through faster decision making is becoming a reality through Big Data - and particularly the vast amounts of unstructured data out there on the Internet. Making decisions about what markets to enter, which products to launch, and how to approach your customers requires crunching incredibly vast amounts of data in near-real-time. That sort of capability was ordinarily reserved for those data warehouse dinosaurs of old, which are now being replaced by cloud-powered 'big data' engines.
What security has to do with all of this is once again acting as an enabler. Technology shifts to cloud-driven elastic computation farms wouldn't be possible without good security build into the infrastructure. There is another view on this.
From the security perspective, cloud computing is required for faster decision making. Imagine the fluctuations in data processing and storage requirements as your enterprise goes about its business. Having data collected from everything from your IPS to a database server logging query times is critical to understanding the security of your environment - and being able to make a split-second decision on whether to terminate or allow a particular transaction. Faster decision making requires flexible and on-demand available compute power - that's a core benefit of cloud computing.
Incredible New Analytics Capabilities
Let meask you something. Do you have all the computational power to make use of all the data your environment is putting out? When you add 200 new servers, can you handle that capacity of logs? Can you handle the up and down capacity changes in your enterprise? If you can't you're giving attackers the upper hand. I'm not trying to sound alarmist or sensationalist, I'll leave that to the professionals, but leaving data unprocessed is leaving intelligence on the table un-analyzed. You can't rationally expect to do that with the compute capabilities you have today, and you're certainly not going to be able to spin up and tear down physical systems fast enough to meet up/down load requirements.
If I could offer some advice for companies moving into cloud strategies - it's that you should be ready to share and consume the incredible amounts of data that will be available to you. From your providers, from your changing landscape of applications and virtual systems, and from all your physical gear - you need to be able to crunch that data to find patterns, trends and those slightly different needles in a stack of needles. The capability we have available to security teams today means that hosting your SEIM or SIRM on a traditional server platform can be silly if you are anticipating capacity fluctuations.
Be smart, take advantage of vast amounts of computational capabilities available to you to understand the security of your environment better - and only pay for what you use, not what hums along wasting power, space, and cooling capacity.
Can you sell your senior leadership on the security-based benefits of cloud computing? I think so. I think that there's a great chance that you can illustrate the power you have available before you, and the capabilities you have for 'doing it right' this time and getting away from the tired and busted perimeter-based security models into something more sane, more intelligent, and more ready to take on tomorrow's IT.