De-risking the cloud
Whatever has happened to cloud? From risk bête noir to flavour of the month – how did that happen?
Surveys across the board show huge growth in the adoption of cloud computing, especially hybrid cloud: in a recent report, 95% of IT professionals said they were using the cloud, and 75% said they were using hybrid cloud. And the report also found that security was no longer the top cloud challenge, with the top spot now occupied by the shortage of resources and expertise.*
It was not very long ago that security was viewed by most enterprises as the biggest cloud challenge. Yet while in all organisations security will at least remain a concern and will still be the top concern for many, especially for those managing sensitive data, a shift is clearly underway. So what’s changed?
The pattern of cloud adoption has been no different in many ways to the adoption of other new technologies. Some organisations are more comfortable than others with forging paths to the future by adopting new techniques and technologies. In some sectors, not to do so would be counter-productive. For the bulk of enterprises, however, the principle of allowing others to shake out the bugs, take the early-adopter risks, and become reference case studies tends to dominate.
This tendency to de-risk so major a move as adopting cloud computing for production processes is a natural approach to running a business; bell-shaped adoption curves are a familiar sight. What has happened however since the first appearance of cloud is a huge growth in cloud services and business models.
In particular, one of the biggest growth areas has been platform services – PaaS – a category term that hides a rich wealth of services. Private cloud and managed cloud services are also among the growth areas. New development paradigms are very quickly becoming the norm. And big data – especially sourced from the IoT – is on the horizon for many and a reality for an increasing number.
So now companies previously confined to the services they could develop in-house are now able to use off-the-shelf processes that would previously have been unavailable and unaffordable. None of this is to argue that security and risk are not concerns.
What has changed is the appetite for risk. For example, the UK civil service is adopting cloud computing, and is recognizing that risk is the downside for the benefits that cloud computing confers. The organisation is approaching the issue by performing thorough risk assessments and propagating security as policy throughout the organisation, not just within IT.
In addition, one of the pre-requisites for the adoption of a policy that enables the movement of data outside the corporate premises has to be a data-centric approach to security. This allows organisations to remove a potential disconnect between security technology and business strategy objectives by relating security to the data rather than the devices on which it resides. Consisting of processes and technologies such as data access controls, encryption and data masking, data-centricity can therefore help reduce the risks associated with cloud computing.
Cloud computing is a long game – and it is an ongoing, evolving process rather than an end goal, and the available methods for reducing risk will evolve alongside. As with any business process, complete risk removal is not possible – but it is and will increasingly be possible to reduce risk to the point where cloud computing’s benefits outweigh the hazards.