Providing Tools to Implement Security in the Cloud
By Sam Schoelen, CIO, Continental Resources
I have spent a great deal of time investigating cloud and many cloud technologies. Many have been around for years now and have matured greatly. What I would like to know now is "Why not?" People have been using Salesforce for many years even before they called it a Software as a Service (SaaS) solution so why is this all a big question now? I just heard a representative from HP say "If we can get it as a SaaS product we will." If multi-billion dollar companies are doing it why wouldn’t you? If the national government is doing it why wouldn’t you? What makes you so special that your environment would not work? Now I do know everyone has some very specific cases that would not work in a cloud but I am more concerned with the people that hear the word cloud and just say no.
"Most cloud resources I have tested, default to highly secure and you have to work hard to make it insecure"
When I was curious about Amazon Web Services (AWS), I tested it out and rolled out a system in less than 7 minutes from creating an account to logging into my new system. Even if I have the hardware sitting right in front of me I cannot do that. The speed to having a system ready is impossible to beat. The speed to getting a system up as well as the cost is amazing. I then rolled out a system with a terabyte of storage and the costs are so cheap and fast that it would not make any sense to roll this out internally. That is not even getting into the details about skill sets you would need to make this work. If you have ever run an IT shop you know what you would need to hire to make all these pieces work together well and that does not even begin to talk about the “bugs” of all these vendors working together.
I went a step further and rolled out a file system, a database Radio Data System (RDS), replication, load balancing, etc. All of these functions are just a few clicks away. I remember when we used to sell very large software solutions to do what has now become a check box. If you know what you want you just need to check that box. Disaster recover, replication, load balancing, are all options that require simple knowledge rather than the experts it used to. Once upon a time you needed a company to implement these solutions then an entire team to keep it up and test it.
I know the big issue used to be security but this is now not an issue. As far as security goes there are now so many tools to keep your cloud secure it would actually be more secure in the cloud than onsite. Most cloud resources I have tested, default to highly secure and you have to work hard to make it insecure. Yes, you can get hacked in a cloud the same as you can in your own datacenter but you are starting with a much stronger environment than your own. I once asked a CISO of a cloud provider about security and why it wouldn't be a concern and I loved his answer:"I have the resources to do it better than you do."He is right! Even a very large organization cannot afford the staff or tools that they need, to focus on security the way companies can dedicate. The other argument is also the tools to implement security in the cloud are out there now as they weren't before. If you want more advanced security you can use cloud security products to ensure the only people touching your devices are the ones that should be. I have used some of these products and they work great. Once again the speed to deploy these products is far better than anything I have used before. Knowing that I can get a new security tool as well as test it out without a large investment is a great thought. If you bought a large software application in the olden days and it didn’t do exactly what you wanted it to, then you are stuck with the product or dealing with the return of it. These days you just test it out for a small amount of money and if you do not like it you turn it off and if you do like it just use it more.
So if I can roll out systems in minutes, keep them secure, keep my costs in line and controllable, why should not I chose a cloud product? I am looking for valid reasons why a person would not use a cloud product. That includes SaaS or Infrastructure as a Service (IaaS). I obviously know there are many different solutions and many different arguments that can be made but speaking in general terms I think cloud is mostly a win all around.