When I attended last month’s Gartner Security and Risk Management Summit in National Harbor, Md., I was particularly interested to hear from the analysts on cloud and cloud security. After listening to their talks, I had two key takeaways.
First was that those not doing public cloud say that they aren’t doing it because of real or perceived cloud security limitations but those who are doing public cloud say they are doing it for the advantages of cloud security. This contradiction was clearly unexpected, but I can confirm from the #CIOChat events on Twitter that security remains the number one concern for CIOs looking to transition their firms from managing on premises datacenters to managing public cloud.
The second thing that I learned was that public cloud users must accept that if their public cloud vendor is hacked, their keys have likely been exposed. So, in a way, your goose is cooked with AWS, Azure, etc. Or your goose may already be cooked if you don’t move your sensitive information out of your current datacenter.
In talking with #CIOChat participants, they have different answers when asked to describe their state of public cloud adoption. CIOs in public sector interestingly seem to be the most aggressive in moving to public cloud. One educational CIO said that he has already moved 98 percent of datacenter loads to public cloud. Another said that she has an 18-month plan to get there. CIOs believe, however, that by 2020, 60 percent of cloud workloads will be in the public cloud. This clearly is a big step from today.
I want to suggest that there is. The answer is simply to protect your data before it is sent over the wire to the public cloud and to do it in way that only those needing access to sensitive data to perform their jobs can see it in the clear. So how do you do this?
The approach involves not only protecting data in transit to your selected public cloud vendor but protecting data once it has landed in cloud storage systems like Amazon S3. You can accomplish this a couple of different ways. First, you can protect data within its on-premises source system before shipping data to the cloud. Second, you can protect data as it is in transit or soon after it has landed. In either form, all potentially sensitive data need to be detected and protected as an initial starting state. This is what Ann Covoukian calls “Privacy by Default” in her book, Privacy by Design.
Once data is in the cloud you can govern this data with protectors that focus on how data is used. This can be a database or S3. Regardless of where data resides, it is essential that you protect data once it traverses your datacenter. Two elements of doing this involves establishing data policies and then enforcing data policy rules at every point that data can be accessed. These rules should be built so that they enable segregation of duties. This means that those creating rules should not have access to the data. Recent hacks have brought to the forefront the risk of privileged credentials. Hackers are clearly aiming at these folks. So, whether data is on premise or in the cloud, you need to protect data from a privileged access release.
It seems clear that public cloud adoption remains held back by data security concerns and possibly inertia of supporting investments in legacy IT infrastructure. This is problematic to those want better security and business agility. However, there are approaches to securing data as it reaches the cloud. To learn more about this, I recommend reading a newly published whitepaper, “Safely Lifting and Shifting Enterprise IT to the Public Cloud,” that digs into the opportunity to protect data as it moves to cloud.