Security Experts:

Fear and Loathing in the Cloud

Don’t Reject Cloud Technology Out of Unfounded Fears... 

On a hot afternoon a number of years ago, I was sitting in a management training session as the session leader drew a chart on his whiteboard, representing the lifecycle of a company. There was a steep upward growth curve in his illustration, indicating the gains in traction and customers that an organization goes through. Invariably, at some point the growth curve peaks and then flattens, as if hitting a ceiling. This is a crisis point, where the company's tried-and-true way of functioning has been stretched to its limit.

Companies that are ultimately winners are able to weather this crisis, to recast what brought them their initial success into something more refined, effective, and profitable. It might be a change in senior leadership, or perhaps a redefinition of the business model. And, of course, those companies that are unable to break through this barrier wither and usually fail.

The ability to transform and adapt is perhaps the most essential business survival skill one can learn. Longevity implies the capacity to persist through and overcome challenges, often big ones; it implies a tolerance for risk, a willingness to accept change, and the vision to remain essentially true to who and what defines the enterprise in tumultuous times.

Cloud Security FearsThe canonical example of this is Apple. It was often thought to be on the thin edge between existence and collapse; the same can be said for nearly all of the Dow 30 companies. American Express, 3M, Verizon, and most of the others have had to reinvent themselves to remain viable, often repeatedly.

What brings this to mind is an article I read this morning, where the author claimed that in regards to cloud computing the primary goal of IT is to “maintain control of information.” It brings back the image of one of an executive reaching a plateau in growth and insisting that the way forward is to simply do more of what used to work. It represents a sort of intellectual laziness; while technically accurate, it misses the opportunity to advance that is at the heart of the crisis.

“Maintaining control of information” is not a business objective of any real value. Instead, it is a reaction to a perceived threat, that of the exposure to unauthorized access to protected information and the costs of a breach. In mistaking the avoidance of something negative for a proactive goal, this particular author misunderstood how and where the cloud is serving to transform business across the industry.

What is so exciting about the cloud is the ability to quickly draw new connections and discover new ways of creating value for customers. In its 2013 survey (PDF) of global implementation of cloud technologies, KPMG found that only 30% of respondents saw loss of control as a key impediment to their adoption of cloud technology. Even fewer – a mere 26% – saw security issues as a key challenge. While cost reduction was the most often cited advantage of cloud implementation, respondents also identified business process transformation, entry into new markets, and improved alignment and interaction with customers as key objectives in their efforts.

The report went on to note that, “business executives are starting to fully appreciate the potential transformative value that cloud can bring to the enterprise. And, having experienced some of the immediate benefits of the cloud, many are now starting to look deeper into their operating models to see how these advantages can be extended into the wider enterprise.”

When we hear of security breaches like the Target credit card hack, we get an increased sense of exposure. We need to put the context back into the headline, however: the Target hack was not a cloud security breach. A network-level exploit was involved, but so far the investigation has gone, it does not appear that cloud-based services were involved in either the original data loss or used in any way to transmit the data that was stolen.

IT managers focused on protecting technology infrastructure would do well to assess whether cloud service providers have better security systems in place than their own corporate IT resources allow. Indeed, it is this “shared service” dimension that provides for one of the greatest advantages of cloud technology: you don’t have to build your own. Specialists have done it for you.

Control in and of itself doesn’t equate to safety. The right answer for protecting information security is a lot more nuanced than moving everything back into an on-premise system, and it certainly doesn’t involve exclusive encrypting every piece of data and hoping that the keys in use remain backed up and secure Research in the field suggests that instead, security technology needs to take a leadership role in ensuring that end-users are aware of their responsibility for protecting private information. Use multiple layers of security based on the sensitivity of the information at risk. Get your security policies right. Use detection systems to identify hacks before they get into the vault.

Most importantly, don’t reject cloud technology out of unfounded fears. Cloud technology is already redefining businesses, and those that fail to embrace and extend it across their organizations are likely to find only a long flat line in their future.

Subscribe to the SecurityWeek Email Briefing
view counter
Gil Zimmermann is co-founder & CEO of CloudLock. Prior to founding CloudLock, he was an Entrepreneur-In-Residence (EIR) at Cedar Fund. He has held key business positions in both small and large companies (Backweb, Sun Microsystems, EMC Corporation), beginning his career in the Israeli Defense Forces (IDF) with several technology leadership positions in the Military Intelligence Elite Computer Projects Unit. Gil has a High-Tech MBA from Northeastern University, and holds a double major BA in Computer Science and Philosophy from Tel Aviv University, and is a graduate of MAMRAM (Israeli Defense Forces’s elite software engineering program).
view counter