Locking Down the Cloud
by Jess Iandiorio
Over the last few years, IT departments have gotten increasingly comfortable with cloud technology, by which I mean cloud security. Because as one IT analyst put it recently, “When it comes to the cloud, security is the number one concern. And number two isn’t even close.”
But 2014 could be the year when thought and analysis take a back seat to action. Companies that haven’t already embraced cloud technology are ready to make the move. One reason: the rise of automation, which is making it easier -- nearly irresistible, in fact -- for IT departments to start transitioning significant parts of their businesses to the cloud.
That’s why, in this blog series, “Locking Down the Cloud,” I’ll be looking at cloud security from an automation perspective: I think it’s one of the most disruptive, and most promising, developments in the already very promising and very disruptive evolution of cloud technology.
Back in 2010, Mike Kavis was an early cloud pioneer. His startup, M-Dot, used Amazon’s AWS cloud service to manage point-of-purchase coupon programs in thousands of stores.
Mike was ahead of his time, and competitors who were selling systems that were hosted on site would frequently try to stir up cloud security fears and doubts in the store owners who were Mike’s early customers.
Mike’s response: He would tell the store owners to ask the competitors how often they visited their aging, on-location Windows machines to install security patches, update the software, and add new, improved security software? With hundreds of machines scattered in retail locations all over the country, the answer was usually: not often.
M-Dot, by contrast, was constantly updating and improving its security, and staying ahead of the latest threats, by managing its service in the cloud.
“That made an impression on the retailers,” Kavis recalls.
Score one for cloud security.
That’s the way it’s gone for the cloud, particularly regarding security, as amorphous -- and often justified -- fears get knocked down by rapidly improving capabilities and practices.
I heard many stories like Mike’s as I talked to cloud architects and security experts about cloud technology.
And lately I’ve been hearing a lot more about how automation is not only improving cloud security, but making IT teams more efficient.
Mike, who is now vice president and principal cloud architect at Cloud Technology Partners in Boston (M-Dot was sold in 2011), is not surprised. He’s been around long enough to know that security often lags behind technical innovations -- like the Web, for example -- but that it makes steady, sure gains.
In his 2013 book, “Architecting the Cloud: Design Decisions for Cloud Computing Service Models,” published by Wiley, Mike includes a chart that maps security on the familiar Gartner Hype Scale. You can see, below, that in 2013 cloud technology had already hit the “peak of inflated expectations,” and was on its way through the trough of disillusionment towards the slope of enlightenment.
But look at “security maturity.” That’s been on a steady rise almost from the beginning.
There are many reasons for the rise of cloud security, but automation is pushing two of them: 1. It is freeing IT staffs from rote activities, allowing them to focus on higher value contributions; and 2. it is reducing the kinds of security vulnerabilities that get entered by humans, either through error or malevolence.
Automation also pushes the same advantage that Mike, and his customers, discovered back in 2010: Because it’s easier to update software and security in the cloud, cloud security gets updated more often.
Oliver Wai, the senior project marketing manager at Barracuda Networks, which provides cloud-connected security and storage solutions to an enviable list of clients, has seen the same thing.
“Automatic detection and patching is a key issue,” he told me, “because many of the breaches are the result of attackers exploiting unpatched software with known vulnerabilities. Moving to the cloud ensures that you always have the highest level of security deployed for all your applications.”
And you can bet that cloud service providers are pressing their security advantages. In fact, because so many potential cloud customers regard security as concern No. 1, it is now regarded as a core competency by most cloud providers.
Compare that to the companies that are running their own datacenters. For many, security is a cost center; and another thing to do outside their core competency.
The result: While many companies struggle to keep up with their on-site hardware, software, and firmware security upgrades, cloud providers are continuing to push the security maturity curve up, towards the “plateau of productivity.”
And people are starting to notice.
In its third annual “Future of Cloud Computing Survey,” published last year, North Bridge Venture Partners found that the percentage of respondents citing security as their top concern fell to 46 percent, from 55 percent in the previous year’s survey.
To be sure, there are many security challenges that cloud providers still must tackle. We’ll discuss these cloud-specific hurdles -- and the security issues that the entire tech community must deal with -- later in this blog series.
But for now, take a deep breath. As far as security goes, cloud is on it. Next we’ll consider how to make it work for you.