The software industry is entering another age of astonishing innovation. It’s a time when not only software is advancing at a fast pace, but so too are hardware devices – where power is increasing as quickly as size is decreasing, and is making software and computing power near ubiquitous. With this comes an increasing need for corporate software and data to be readily available anywhere, anytime, on any device, and from within any Web browser.
The Software-as-a-Service (SaaS) and cloud computing revolution has the potential to benefit everyone in the software industry, and all who rely on it for their businesses. Such models can have a positive impact on the infrastructure of both private networks and the Internet. Unlike when individual organizations patch (work that must be duplicated for every installation), when SaaS vendors update their software applications, all of their customers are patched instantaneously as well. Because of this simple fact, many of the security problems that plague today’s business-technology systems—such as patches and software misconfiguration issues are solved.
Thus, in this and many other ways, the burden of maintaining a secure application largely is transferred from the software user to the software service provider. The effect of proper patching is amplified throughout all the IT systems the SaaS and cloud providers touch.
Some still are fighting the shift to SaaS and cloud computing. But, I don’t believe that resistance to the transformation of on-premise business IT to cloud computing-based IT is a viable option. Not for long. The business benefits, cost savings, and reduction in complexity are just too compelling for businesses to overlook. Today, the strongest resistance we see is emanating from IT departments, and IT security staff—mainly out of fear of what might happen if one were to lose control of data. This is a false choice, and the market will not reward cloud or SaaS providers that attempt customer data lock-in.
Nevertheless, despite reservations from IT, businesses will march forward because the business has no choice but the path that simplifies many of today’s IT complexities. And in this, the primary—and strategic—role of IT security will be successfully and securely managing the privacy and security risks associated with data living in the cloud.
While the SaaS and cloud computing revolution is well underway, there still is much work to be achieved before the core infrastructure and associated services are as secure, reliable, and trustworthy as they can be. For instance, we need ISPs to coordinate so that network traffic flows more cleanly, and is free of malicious packets. We’ll also need a simple, globally recognized way to recognize and manage the identities of people and devices. There also is the crucial business of defining accurately how enterprises can integrate and secure their current infrastructure as more of it is moved to cloud services. For this effort, I encourage all businesses, security professionals, CIOs, and vendors to work together to make the transformation as beneficial as possible for all. Some of the organizations working hard to ensure that we build this new cloud infrastructure right from the beginning include the Cloud Secure Alliance and the Jericho Forum, both of which are promoting cloud computing best practices.
While the visible shift to cloud computing to date has been the movement of applications and data to the cloud, it’s not going to stop there. Soon, the day will come when companies outsource not only their software but their network infrastructure, as well. One day, most everything we do on private networks— manage information, applications, infrastructure, and services—will be accessible instantly and securely from anywhere and from any Web browser. It’s time to prepare.