While cloud computing is far from a magic bullet for all your data storage and security woes, organizations are enjoying meaningful benefits in the form of cost-efficiency, on-demand scalability, heavy upfront capital shifted to recurring operational expenses, augmented resources and skills now at their fingertips, and more.
The predecessor to cloud, shared/multitenant computing, goes all the way back to our early history of using mainframes, including time-sharing, virtual machines and remote access. Cryptography and encryption techniques are nothing new to us; they’ve been used repeatedly throughout history. Some of us may even be old enough to remember the now-retired subscription-based hosted frameworks, such as Compuserve and Prodigy, and email and portal frameworks such as [email protected] Today, these all could be referred to as cloud-based software-as-a-service (SaaS) offerings. So what makes today’s shared computing frameworks different?
First of all, it’s plainly too expensive to maintain brick-and-mortar frameworks today compared to eliminating all such costs through shared hosted environments. We’re seeing this not only in enterprises, but also in consumer-oriented areas such as retail. By moving to the public cloud, organizations can focus on the core competencies supporting their specific business model. The interesting twist is that many non-IT businesses today, with their considerable investments and IT overhead, now appear as though IT is their core business.
We can agree that shared computing models are now widely accepted culturally, and it has become difficult to justify holding onto costlier on-premises models. This is especially true when you consider the indirect cost of maintaining data centers and consistent challenges in scaling and aligning resources and finances to demand, which increases and decreases periodically.
To facilitate wider acceptance, the remote access barriers of yesteryear have been removed. We’re all happy to have evolved from slow, dial-up remote access to our high-speed internet access from myriad devices. In fact, there’s likely no recognizable difference in performance from a consumer’s point of view between on-premises access and remote access. This will keep us all in multitenant computing models for many years to come. So where’s the rub?
With high-speed remote access to shared multitenant computing environments comes increased risk. I’ve heard several chief information security officers (CISOs) indicate that cloud computing has widened their attack surface to all in the public testing their fences. Leaning on a false sense of — as I like to call it — “security by obscurity” is no longer an effective strategy.
While cloud customers are entrusted with and liable for the protection of confidential customer information, the cloud provider controls much of the security. In fact, providers often do not disclose their security controls or open them to audit. Doing so is considered an unnecessary risk; for example, openly sharing details about their architecture and security products could expose known vulnerabilities and attack surfaces to threat actors (there’s that outmoded idea of security by obscurity once again). While the cloud provider is responsible for physical security, business continuity, disaster recovery and network security, additional security controls and responsibilities shift depending on the type of cloud service model chosen.
Before diving into who owns what and when, let’s think about the fundamental security responsibilities you are entrusting to the cloud provider. Remember that you as a cloud customer carry the ultimate liability for securely maintaining your customer’s confidential information, and you make the final call on whether it should be maintained securely on your premises or placed elsewhere.
