Harold Moss is the Emerging Tech & Cloud Computing Technical Architect, IBM Security Strategy.
In this interview he talks about the security of cloud service providers, cost savings and risks involved in enterprises using cloud computing and IBM’s approach to cloud security.
Some believe that cloud service providers are aware of the threats and are indeed secure. Can you agree with such an assessment or is it just wishful thinking?
The question of security really boils down to what are you attempting to do in the cloud. At IBM, we believe that in cloud computing “one size does not fit all.” What this means is that the security needs of cloud implementations directly correlate to the work and types of data that are driving your cloud activity.
To highlight this point, organizations managing health care data are going to have very different security needs than organizations which use the cloud exclusively for blogging. In one case the data needs to be contained, protected, and monitored. In the case of the blog, the information needs to be free and distributed, so there are very different purposes and very different security needs.
For customers to have confidence in their cloud implementations, they need to build security into the fabric of their clouds and not totally rely on cloud vendors to provide those capabilities. Security in the cloud is ultimately the responsibility of the consumer of the cloud, as such they can’t assume their vendors will provide security commensurate with their individual security needs.
Critics say it’s dangerous to put data in the cloud as it becomes controlled by the provider and the company can’t really know how secure the data and the infrastructure is in general. What’s your take on these issues?
If you start with careful introspection and apply strong cloud security practices, then your data could be more secure in the cloud than in your own environment. Ultimately we believe that organizations have to follow a “secure by design” approach, which builds the security into the fabric of the solution and is based on foundational security controls in combination with specific work activity-oriented controls. By applying these methods and carefully monitoring their cloud infrastructure, organizations can gain greater confidence in the security of their cloud implementations.
Research has found that a quarter of enterprises that already use cloud computing believe that the risks outweigh the benefits, yet carry on regardless. Are they doing it because it’s cheaper? Are they just misinformed? What are the real risks?
The challenges organizations encounter really stem from fear, uncertainty and doubt. The cloud evolved extremely quickly, and it is based on the concept of extending trust. This trust is something most security experts are hesitant to impart, as it’s counter to our past experiences. That said, organizations who implement clouds with the basic tenants of “secure by design,” foundational security controls and with a focus on the work activities and data will see greater benefits and reduced risks as they move to the cloud. This will translate to smarter, cheaper security implementations which are focused not on obscure and unimportant controls but on concentrated security activities and controls. This security evolution will allow organizations to become more aware and conscious of their security, and their organizations culture as it relates to security risks.
Development and testing environments have especially benefited from cloud computing. Can you give us an estimate of cost savings and other benefits based on what you see with your own clients?
The benefits from organization vary, However, from the perspective of IBM’s own internal development/test cloud efforts we have seen an unbelievable return on investment, with an estimated 83% reduction in costs and less than 90 day payback. Speaking from the perspective of someone who continues to develop solutions, the cloud has been a tremendous asset in enabling the delivery of projects on schedule — with the security and quality my organization expects.
Looking beyond the financial benefits, organizations are realizing benefits in terms of protection of intellectual property and code quality. As I talk to executives in both financial in healthcare organizations they often ask about how they address the phenomenon of “rouge clouds,” which are small development cloud clusters not generated by the organizations but instead by the developers and testers outside of the organizational boundaries. As the planet moves faster, we see more and more developers and testers attempting to compensated with the increasing pressure to deliver licensing space on external servers. This introduces tremendous challenges for organizations as they do not have enough control or awareness of intellectual property leaks.
In, addition the possibility of their code being compromised with malware is much greater. As a result, the cloud offers a significant opportunity for organizations to minimize the phenomenon by offering those same services to developers, but under the control and management of the organization.
What are, in your opinion, the fundamental differences in IBM’s approach to cloud security in comparison to other players on the market?
Our difference, really comes from the fact we are not looking at all clouds and how people utilize them through a single narrow lens. We strongly believe that “one size does not fit all,” and we build our solutions and consulting services around that concept. By providing the best security for a specific focus, we enable our customers to be more secure and confident with the cloud.
Organizations are under pressure to compete and be more efficient – the cloud enables that. However, with any new technology, organizations have to better assess how that tool best supports their organization.
As organizations adopt the cloud they have to begin by asking what is a simple question: who do you trust? To apply an analogy, if you have a broken tooth who do you go to – your primary care physician, your optometrist or your dentist?
Much like medicine, cloud quality and confidence are dependent on specialization, IBM has over 20 years of experience developing cloud technologies and more than 40 years of experience in security, which is the kind of specialization organizations are looking for to be confident in adopting the cloud model.