Why do so many IT departments skip out on the need to to secure their own data and applications after they're moved to the cloud? I don't know?
Security is a big deal under any circumstances; in the cloud it should be a higher priority for IT, not lower.
For all its advantages, all the new hardware and special skills of the cloud providers, cloud is risky in ways an internal data center could never be.
for example the first thing you have to do to make the cloud work for you is the one thing you would never do under normal circumstances: Take the company's precious data and applications out of your nice, safe data center and ship them off to a giant colo warehouse run by strangers you might have been able to trust, if they hadn't seemed so smug about being better at your job than you.
They wouldn't even let you past enough locked doors to touch the boxes where your data would live, a long way from the nice, safe data center where you know which server runs that creaky legacy app, which SAN segment records its transactions and why the really critical customer data lives on JBOD instead.
Under those circumstances, the first thing you'd do is roll up your sleeves and bolt down a few things so at least you'd know your data was safe, even when it was lonely and far from home.
You'd be the odd one out, then. Of companies in the U.S. that use external cloud providers, 72 percent cannot or do not manage their own security in it.
That tidbit is from a survey published in February by CloudPassage, a firewall- and intrusion-detection vendor that takes the odd approach of making cloud systems secure by adding more cloud to them, by selling its multilayer security software as a subscription service (SaaS) rather than as traditional software.
Oddly, it's not a survey showing how unconscious about security all the business-unit managers and end users are who hire SaaS and cloud providers to get the IT services tehir own IT departments told them they couldn't have.
The survey was of IT people who, despite knowing better, didn't bother to dot any i's or cross any t's in the management of cloud providers. It's not clear if the IT people surveyed fell down on the job because they didn't like that end users were buying IT from someone else and then asking IT to manage it for them, whether they assumed the cloud providers would handle all the security themselves or if they just didn't want to deal with yet another security challenge.
It doesn't really matter. Whatever the reason, their company's data and applications are living outside the house and IT is still responsible for keeping it safe. Technical problems, organizational barriers or budget problems might limit an internal IT department's ability to secure apps and data in external, alien computing environments. Lacking some genuine barrier, failing to secure the company's data just because it lives in someone else's cloud is just negligent.
Unfortunately, it's also unbelievably common.
According to CloudPassage's survey:
- 31.2 percent of companies let their cloud provider handle all the security;
- 21.3 percent do cloud-server security themselves, but manually rather than automated or by policy;
- 20 percent don't secure cloud-based servers at all.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.