When adopting any new technologies security is always a primary concern and this is no different with the cloud. But do people actually understand what they should be securing?
Speaking at IP Expo, IBM’s Jon Machtynger questioned the work ethic of today’s IT professional and asked whether the introduction and mass adoption of cloud computing is removing the capability to define and assess risk.
“The difficulty with security is that we want everything secure and we think everything is valuable,” said Machtynger. “We throw as much technology at the problem as possible without ever asking the question as to what should be secured.”
The promise of cloud is a simple one. Unlimited compute power, storage and capabilities should you have the budget to fund it. With an unlimited budget and the scalability of cloud computing, the only limit is the creativity of engineers and the number of hours in the day. But with all this capability at our finger tips, has the industry become power hungry?
“The right way of being secure is by understanding what you need to secure,” Machtynger. “We should design for things failing but failing gracefully. The real problem with security is we haven’t thought about what is actually valuable and sensitive to the company so we secure everything.”
During the early days of computing, storage and services were expensive. Buying the latest piece of kind to make sure any naughty hackers couldn’t crack open your servers was a costly job. The IT guys had to decide what to spend money on. There was a process of assessing risk, consequences and business criticalness assessment behind the decision. Now with the cloud, the price of security has decreased and therefore a big blanket can be thrown over the whole thing. That’s great right?
“The cloud makes us lazy, because we have infinite power,” said Machtynger. “When we had on premise and a small amount of storage space, we had to decide what was most appropriate to secure. Now we are worried about making everything 100% secure, when we don’t actually have to. Why are we securing information which is publically available?
“Why not prioritise certain areas which we have decided needs to be more secure and invest more there to make sure the most important aspects of our business are the most secure?
“It’s about using the right technology at the right time, and isolating the right information at the right time. It’s actually making a decision as opposed to doing everything because we can in the new cloud environment and taking away the emphasis from the things which need to be more heavily secured.”
So there we are. Does the community think cloud security is less secure because everything is being treated the same? Are IT professionals more concerned about mission critical aspects because they have in fact been paying less attention to them? For Machtynger this is certainly the case.