One of the largest perceived barriers to adoption of cloud computing is the concept of security. Based on countless discussions with companies interested in adopting a cloud model, it is clear that many want to achieve the economic promise of cloud but are struggling to figure out how to use a multi-tenant, virtual environment in a way they are comfortable with, given the security concerns of their respective companies.
From an enterprise perspective, most companies are much slower to adopt change based on the amount of established process and policy around existing solutions (change implies cost). In that, one of the barriers that is getting in the way is how different cloud is from what most companies have today. Different means that companies are not as confident securing the new solution, but also different means additional cost to make it work. And while we will all agree that Google and Amazon are clouds, it does not imply that cloud is Google and Amazon.
What I mean by this is that there are many definitions of what cloud is, and while the Google and Amazon offerings are both very strong representations of a cloud solution, that does not limit the definition of cloud to be what Google and Amazon offer (and their offerings get more broad in definition every day). What each consumer needs to figure out is what solution they need, what parameters they are comfortable with (this is where security sits), and what the price needs to be for the solution to be interesting.
We have had several conversations with infrastructure service providers who are more than happy to make additional infrastructure available to companies as an extension of the customers existing infrastructure (They turn the entire system over to the customer, un-configured, and place it in a private VLAN. The customer loads their OS. The customer loads their configuration. The customer integrates the system into their cluster as they see fit), and charge the customer for the time the system is configured on the customer network. Additionally, there are software packages out there (look for “hybrid cloud” keywords) that will help acquire, configure and burst into these extra resources. Because these are complete systems and not virtual machines, customers feel more comfortable that this model is not a change from what they are doing today.
That would be one approach that would imply very little change on the consumer side and therefore minimize cost and additional security exposure. If there were still concerns about cloud resources, an additional set of steps that could be taken would involve classifying the data into security classifications (very typical security practice that may already be implemented) and specifically leverage cloud resources for only workloads that use public datasets (identify cloud-eligible workloads).
Cloud is an opportunity. Not only do companies get to realize economic benefit over time, but they also get to take advantage of emerging standards and innovations in the field of security that are evolving because of cloud. As we spend cycles adapting to cloud and retooling legacy applications into cloud-consumable footprints, they become eligible for the new security capabilities that are being designed and built for cloud. As standards are developed, certifications will become available, and then measurement and auditing will become available at a solution layer instead of at the specific implementation layer. This will help to drive the cost of security lower across the industry and, even better, allow for much more security for the same cost as today.
In summary, find a solution that minimizes change. Cloud is an opportunity to improve economic position and flexibility, and over time, improve performance and security. The more similar that we can make cloud infrastructures to the enterprise infrastructures we have today, the more comfortable customers will be with using cloud from a security perspective, and by minimizing change, we minimize the cost of transitioning to cloud, making it a viable solution for more customers sooner.