Cloud is… secure?

Having recently made the move from working for IT services vendors for many years, to work in a corporate IT department, I am having to re-orient the way I think about a lot of things. One aspect that is great though, is finding out that some things that I have believed to be true are now proving themselves to be completely correct — despite the hype often present throughout the IT industry. (The many things I’ve been wrong about we’ll delicately sweep under the carpet…).

In my new role I am seeing real life cases of business units being able to innovate faster, accelerate towards their strategic goals, and scale to customer demands in ways they just couldn’t have done previously, all by using cloud computing. I am coming across previous cloud sceptics that have now realised that by having a lot of the daily maintenance tasks that used to consume their time, provided automatically as part of a broader cloud platform service, is actually freeing them up to do more productive and innovative tasks. But the biggest surprise of all, was finding IT security professionals — working in what many people would negatively describe as a “regulated” vertical — who were completely open to using cloud computing!

For years I was led to believe, almost religiously, that there was no way InfoSec professionals in regulated industries would allow corporate applications to reside in a public cloud. “They just couldn’t” I was told with an aura of disbelief at even the utterance of such an absurd idea! But it just didn’t seem to ring true with the rest of the facts. Almost every story of a security or data breach that made it to the press, and there weren’t a shortage, seemed to reference internal datacentres or careless use of mobile devices. Where was all of the data that was surely pouring out the back of the public clouds going to, and why was no-one screaming about it? And how on earth were the big cloud vendors claiming such growth when they were only being used for test/dev workloads, or by developers that were going rogue on their bulging personal credit cards?

Instead I found an Information Security team that realise that not only is it possible to apply security standards and controls equally across datacentre and cloud, but that in many instances it is both simpler and cheaper to apply the required security controls in a cloud environment. Why invest in, deploy, maintain, patch, and power separate solutions for each aspect of your security requirements onsite, when in the cloud you can often ‘check a box’, select a few configuration options, and you’re done?

The idea that cloud is inherently insecure is fast going the way of the mini disc — it seemed a great idea initially, but has been quickly proven to not be the case. But more than that, I think it’s probably now simpler to secure your data inside a cloud platform, than it is outside. And I’m not even trying to sell you anything anymore!

Gordon Davey (@GordOnCloud)