Security in the cloud is very important. Clearly there are individuals today who are using the public cloud for their own benefit as users and as consumers, but also for business reasons. But when you start to look at enterprises there are two questions – one is ‘am I secure and how do I prove I’m secure’.
It is the biggest potential issue when people start to migrate to cloud computing. We’re obviously in a migratory stage and will be for a number of years as we move from physical to virtualisation and private cloud or hybrid models.
In order to make sense of that and answer the question of ‘am I secure or compliant’, businesses need to step up their security strategy to deal with realities of virtualisation and cloud computing.
Is the glass half full or empty? On the one hand you are more agile and can move your data around at the push of a button and that’s fantastic, but from a security point of view that is quite risky and opens you up to new kinds of risks.
Virtualisation doesn’t mean that hardware disappears
We are doing a lot of work with managers on their journey to the private cloud. There are three stages where it goes from being business critical apps to IT as a service. We would be doing a lot of work to split the security journey to the cloud to three stages and start by migrating the security infrastructure controls, access controls to wrapping security policy around the information as opposed to the device the information currently resides on.
Clearly it is still important that firewalls and access are still secure, we will always have that infrastructure to secure our data. Virtualisation doesn’t mean that hardware disappears.
Because the data requires a security policy specifically around information, we will have to not only manage the device, but put in policies around the location of the device, so it might migrate to whether a document can be opened in the EU or not, for example.
That advantage of virtualisation and cloud – agility, power, flexibility – could be lost at a touch of the button if a strong policy doesn’t exist around the data itself.
The challenge is not only ‘how do I move my business to the cloud’, but ‘how I manage security and policies in the cloud environment’.