Myths and Realities of Cloud Security

Whenever the topic of cloud computing comes up, cloud security isn’t far behind. Survey after survey has shown it to be a top CIO concern, but how much of that concern is legitimate?   CTOvision’s Bob Gourley and Tom Reilly, Vice President and General Manger of Enterprise Security at HP separated myth from reality on cloud security in an interview with IDG’s Bill Laberis at the HP Protect 2011 conference on Monday, September 12, 2011.

While concerns over cybersecurity are well founded especially if an organization makes a hasty transition to cloud computing, it’s a myth that the cloud must be less secure than conventional computing. If you architect and design for the cloud, your enterprise can be more secure than ever, even when your data is going out to mobile devices.

Tom noted that current trends like cloud and mobile are major IT transformations and such transformations always bring new risks, just like the transitions from mainframe to client servers, then from client servers to IP addresses, and finally web applications.  Each shift has come with increasing risk, but due to the tremendous business benefits the IT industry has adapted and faced the new challenges. With cloud computing, we’re doing even better by designing security into the new platforms rather than waiting for threats and reactively adding in security measures. This helps the IT industry overcome its concerns by designing cloud to be inherently safer than current platforms.

To achieve this, CIOs and CISOs must change the way they think. Bob Gourley advocated treating security as a discipline so that designers can think it through fully when switching platforms and creating cloud and mobile solutions. Tom Reilly reiterated designing security into the cloud, so that organizations adopt the cloud because of, not despite, security.  Some examples of this are making the cloud transparent so that you have visibility into a multi-tenant environment to see how your operation is being conducted.  Applications for the cloud should have their vulnerabilities designed out before they even reach production, and there needs to be research into possible attacks on a cloud environment. The key, Reilly notes, is that, as a multi-tenant environment shared by several divisions or corporations, the cloud can have more invested into security than any single division or corporation has in its current platform.