It’s clear that security ranks high if not the highest in the general concerns about companies migrating to the cloud. This is despite reputable research organisations like Aberdeen reporting “Web Security in the Cloud: More Secure! Compliant! Less Expensive!”
Drawing on the findings from multiple benchmark studies on best practices in content security and security software as a service, Aberdeen’s analysis shows that users of cloud-based web security had substantially better results than users of on-premise web security implementations in the critical areas of security, compliance, reliability and cost. Compared to companies using on premise web security solutions, users of cloud-based web security solutions had 58% fewer malware incidents over the last 12 months, 93% fewer audit deficiencies, 45% less security-related downtime, and 45% fewer incidents of data loss or data exposure.
Or from a more biased perspective, take Zach Nelson, the “flamboyant” chief executive of NetSuite, who said recently on a visit to Sydney that his company’s Australian customer base wasn’t phased by the fact that its datacentres are hosted in the US.
The executive said “more importantly” his company’s customer base of medium-sized companies recognised that NetSuite’s datacentre practices, its ability to do backup and recovery and so on, were “far more efficient and available” than customers could do themselves.
That’s the party line from Netsuite, most certainly from Salesforce.com, and many others. It’s also what I would tell most customers and one useful reason to consider migrating to the cloud. But it’s not the whole story! The whole story is much more complicated, so I’m going to boil it down to ABC, with the following parts:
- customers ain’t customers;
- cloud security isn’t the issue; and,
- risk management.
Customers ain’t customers
Small customers tend to have bad security and would get better security in the cloud, while super large customers tend to have security which is probably as good as the cloud (and even if it is not that is not the issue, see next section!). The cloud debate swirls rapidly and sometimes rabidly, and it makes it very difficult to usefully participate unless we do some segmentation.
Let’s classify customers into three groups:
- A Group are the Absolutes. These companies focus on achieving as near as they can to absolute security while still meeting their business operational goals – cloud providers, banks etc. These companies have the right people.
- B Group are the Becomings. These companies are always “becoming better” at security. The positive description is that they apply “fit for purpose” security, and they span a range from those keeping on top of patches and defense to those always “one patch behind”. They are always wanting to become better but its a question of time, money, priorities, and having the right people.
- C Group are the Cannots. These companies just don’t have the time, inclination, people, priority, whatever to get it right. It’s all too hard, although they do play at it and occasionally, after something goes wrong, they have a crack.
What’s the distribution?
I don’t know and I haven’t any numbers but I’m willing to place my bets on the table. I say the Cannots are 66%, the Becomings are 30% and the Absolutes are 4%. These are by number of companies.
The size of a company isn’t the criteria – it’s their security profile which places them in each segment. That said typically SMBs fall into the Cannots, and spread up into the Becomings.
My point, cloud security is not a restraining factor for the Cannots, in fact it’s probably a blessing and even adds value (as well as reducing costs). In the main it is also not a restraining factor for the Becomings, as they are just shifting their mess to the cloud and should be line ball neither better or worse. Bland and bold statement I know, but hey?! Just to note that some of the Cannots and most of the Becomings would do well to consider the role of the Cloud Review Board (if you have a set of business people governing your business systems architecture then you need a Cloud Review Board).
However, for the Absolutes, it’s another story. And it’s not about cloud security per se.
Cloud security isn’t the issue
The Absolutes know a lot about information and information systems security. That’s why they are the Absolutes. The Amazons, Microsofts, Googles, Saleforces, Rackspaces have a lot of those people, because they are Absolutes, but they don’t have them all. There are lots of other companies in the Absolutes.
It’s fair to say that many of the key people in the Absolutes, both vendors and “customers”, all know each other or of each other, and share a lot. I’m sure that they don’t all agree with each other, and that supports my point.
It supports my point because they can all build secure online environments. That’s what they do. But they’re all building them to align with different business objectives and risk management objectives (see next section).
They’re solving different problems because they have different business Goals, Objectives, Strategies, Plans and Actions. And because they all have unique environments which are not only optimised with respect to those goals, but also with respect to their legacy. That legacy is bound to be quite a complicated one, security-wise, for the Absolutes.
So if all the Absolutes can build great security in an online world, then why don’t the Absolute “customers” move into the clouds of the Absolute vendors?
It’s because as you come down from the top of the Goals, Objectives, Strategies, Plans, Actions hierarchy things start to increasingly messy i.e. the rubber on the road and “how things are done around here”.
Even considering, say, 2 banks, who might have some Goals and Objectives and Strategies which seem remarkably undifferentiated, will be moving apart in their Plans and Actions. And we’re still a ways up yet!
As we move down towards Standard Operating Procedures, and then Work Instructions, and then throw in Policies and Standards, and then how all those interact in normal times and in times of breach or threat.
That’s when worlds move apart between the Absolutes. And that’s why security per se isn’t the issue, the issue is how to make all the moving parts mesh together in any migration to cloud.
And by the way it’s also why “we’re 27001 certified” etc from a cloud vendor doesn’t mean much! It means something – that you’re the same as all the other Absolutes in this respect. But it doesn’t mean that an Absolute customer (or any other customer) can mesh with the vendor in the risk management sense, as below.
The Absolutes will all have their risk management processes in place. For example it will be crystal clear how information flows and who does what under what circumstances and in what timeframe.
That risk management process would have been built up over time, it would be very expensive and extensive, it is not something that an Absolute wants to subject to perturbations without due cause.
Which leads to the burning question. What an Absolute most wants to know about the cloud is how can I optimally mesh my current risk management processes with the cloud provider processes in order to take advantage of cloud? Can I even get access to the information flow, the people, and produce the necessary outcomes, through the interfaces which the cloud provider is willing to provide?
To work through that process for core Absolute systems will take years. It’s not technical and it’s not about cloud security per se, it’s organisational and it’s risk management. It’s going to require change on both sides, and the cloud vendors will have to come to the party or miss out.
That’s for the Absolutes. For the Becomings and Cannots it’s time now to start the process of mapping how to take advantage of what cloud offers today. It still takes planning, but it’s a different world to the Absolutes.
What do you think is the biggest show-stopper for the Becomings and Cannots moving to the cloud – are they different?
What’s the timeframe for the Becomings and Cannots – different?
How are the service provider opportunities different for each segment?