Security – the elephant in the room
There's more to cloud services than meets the eye. Cloud expert Ben Kepes explains how the cloud can transform your business.
I remember sitting in conferences nearly a year ago and talking about cloud computing. I continually heard from organisations about their decision not to run any of their IT on the cloud, citing concerns about security and making blanket statements like "everything cloud is dangerous, everything on-premises is safe".
Luckily we've moved on from those days and the discussions now are a little more sophisticated. But that's not to say that the conversation around security is no longer needed - organisations are rightfully thinking hard about security, data sovereignty and governance. So what advice can I offer?
First, let's tell some home truths about cloud computing. I've visited some of the biggest data centres in the world and they are truly incredible. One data centre in Las Vegas, that hosts a number of public cloud vendors' hardware, literally has armed guards circling the building in armoured vehicles 24 hours a day. Even the smaller cloud data centres have amazing levels of security - highly restricted access, full biometric security systems and massive levels of redundancy with spare power, communication and HVAC infrastructure.
Now let us compare that with the typical set up of your average Kiwi business - we're talking a dusty old server or two sitting under a desk somewhere. Even the larger private facilities in New Zealand cannot hope to replicate the level of security or redundancy of the commercial players.
Not only in terms of infrastructure, but also in terms of personnel. If you're an average-sized enterprise in New Zealand, your core business certainly isn't running a data centre - the chance of you being able to employ the most skilled security and technical staff in the world is limited. But if you're a technology vendor, your core business absolutely is providing IT infrastructure, and you also have the economies of scale to be able to afford the best of the best when it comes to staff.
All things being equal then, cloud computing is as secure, or likely more secure, than on-premises infrastructure. But there are still things to think about for organisations moving to the cloud - principally data sovereignty and governance.
Data sovereignty: Some organisations, especially in the public sector, have a legal or compliance requirement whereby data needs to be located within New Zealand. For these organisations there is no option other than to go with a local vendor. But the important thing for them to remember is that potentially not all of their data needs to be local. It may be quite possible to follow a hybrid approach and keep the data that needs to be local here in New Zealand, but push other, less sensitive data, off shore. Organisations looking to do this will be aiming for a vendor that can really support a hybrid approach towards IT.
Governance: IT still has an important role to fill to ensure security and compliance, but to do so they need to have visibility and transparency over what is happening within their IT infrastructure. A broad platform that allows management to happen across all of an organisation's infrastructure, not just one part of it, will help IT to deliver on its compliance requirements.
There is one final point that I cannot stress enough: security is absolutely a partnership between the customer and the vendor. True, a customer doesn't need to think about data centre security or redundant power supplies - they should have done their due diligence and research to ensure that the chosen vendor supplies all this. But ensuring good procedures within the organisation is still incumbent upon them. Strong password protection, solid systems to track employee actions, and proper policies to ensure new employees are on-boarded effectively (and leaving employees off-boarded) are all steps that IT needs to think about and resolve.
The cloud can be as secure and reliable as an organisation needs - but in order to be so, IT needs to think about what they need to do, and the buying decisions they make when moving to the cloud. IT departments need to consider security in terms of a comprehensive strategy when moving to cloud.
In our next and final article, we'll give IT practitioners some advice as to what they can do to ensure they have a rewarding and challenging career as the industry moves into the cloud.