The barrier to cloud security isn’t the technology

The barrier to cloud security isn't the technology

Joey Lu

You want solid cloud security, so you work to find the best approach and technology. But that won’t get the job done.

The truth is that competent cloud security technology is available, and most IT organizations’ cloud teams are good at finding and using it. But cloud IT doesn’t exist in a vacuum, so having the right approach and technology alone won’t secure your cloud operations.

[ The cloud storage security gap—and how to close it. | 5 ways Microsoft has improved SharePoint security. ]

To achieve solid cloud security, departments across IT need to come together, both those that focus on legacy and those that focus on cloud computing.

In reality, this union has proven to be difficult. Why? The people down the hall are dead set against you driving change.

In many instances, the groups that build and deploy clouds are decoupled from traditional IT. They have no formal relationship with traditional IT. However, to have effective cloud security, most traditional systems need to be included In the design and deployment.

The weakest security link is typically where the breaches will occur. The security of your public cloud-based systems may be almost perfect, but your traditional systems provide a side door to those systems. Attackers will focus on those often inadvertent side doors—and so should you.

In my work with Global 2000 enterprises that deploy cloud computing security, I often find huge holes on the legacy side through techniques such as penetration testing. It’s bad enough that the legacy IT systems have such holes, but it’s worse when those legacy IT systems connect to cloud systems, as they often must, and undermine in-place cloud security.

When I ask my IT clients charged with ensuring cloud security about the issues, the response is always the same: So-and-so in legacy IT would not allow me to update his or her security, or they would otherwise decline to cooperate in ensuring security across the systems.

That kind of culture is dangerously shortsighted: If we don’t get together on this stuff, all of the enterprise’s security will suffer.

I have very little patience for those who draw lines within IT, then dare others to cross it. In these days of devops, agile, and open source, we need to understand that IT is a holistic endeavor. Adding cloud computing to IT is even more reason to think about synergy. The wrong concern is turf; the right concern is effectiveness—enough said.