Taxes and death may be the two certainties in life but for IT the certainty today is cloud. Whether it’s a primarily a line of business decision or an established corporate strategy cloud is, in fact, an inevitability. But what, exactly, does that mean? Is SaaS inevitable? Or IaaS? Or PaaS? Private? Public? All of the above?
What do you mean, cloud?
When F5 surveyed customers the majority gave top billing to all types of cloud as technology they’d invested in the past year as well as having the most strategic impact in the next two to five years. What was interesting about the prominence of cloud in our research was the differing levels of importance placed on the varying models of cloud: private, public, and SaaS. IT leaders recognized the distinction and showed a preference for a private model, one that no doubt keeps complete control firmly within reach.
But preference isn’t a presence and the same research showed a significant percentage of applications across all lines of business already deployed in public IaaS and SaaS cloud. Organizations had already moved productivity apps (21%), CRM (29%), Marketing (17%), HR (20%) and Billing (10%) to public cloud and SaaS models, among others.
That distinction between the cloud models –IaaS and SaaS - is important, particularly as you consider how to handle security during this inevitable transition.
Because models they are; operational models, to be precise. Recognizing them as such is critical to enabling leaders to lead a transition from policies and processes based on assumptions of an operational model that do not hold true in the cloud.
Envisioning the models in terms of the layers exposed to you (and your technology) will be a boon to help determine how to transition security strategies to best fit the targeted model. Different cloud models expose different layers of infrastructure – and thus responsibility – to customers. The cloud “pizza” analogy holds as true for security practices as it does management because it’s based primarily on what layers of an operational model are exposed and what are not. Each cloud model exposes different layers necessitating a change in how you approach security.
Know what you can do and what you can’t
There’s an old prayer that boils down to changing what you can and accepting what you can’t. When it comes to cloud, leading the way means taking that approach to heart. In the traditional model you’re used to having complete control over every layer: application, infrastructure, network, and storage. You can’t change or impact the security of the network, or the storage, or the infrastructure. The only thing you can change, really, is how the application is accessed. IaaS models expose application and infrastructure layers, but not network or storage. Other models have similar restrictions.
Leading the way means identifying what you can change and what you can’t and moving from a strategy based on implementation to one based on outcomes. Rather than requiring a network firewall to control access to back office applications, policy should be defined in terms of the outcome: back office applications must be gated and auditable. Moving from an approach that specifies how to one that specifies what will enable IT leaders to seek out solutions that fit each model and lead the inevitable transition rather than try to react after the fact. Specifying how is tactical; what is strategic.
Offer Solutions not Statutes
To achieve this, IT security leaders need to offer solutions, not statutes. It’s often the case that cloud challenges our tendency toward functional fixedness and requires we think outside the (data center) box. While a traditional network firewall is not the right solution for SaaS applications that must be gated and auditable, application access services might be. Define what, not how, and then consider alternatives and new approaches to how that may include cloud services as well as traditional options. Go back to the operational layers and determine what solutions exist at those layers to achieve what you’re trying to do.
The key is to be prepared; to offer solutions based on what you’re trying to achieve with security rather than on how it’s always been done. By being more prepared to answer the question “what security does this application need and how we can provide for it in the environment it will be in” other business leaders will see you as a partner rather than a potentate. That simple adjustment can be the most important step toward securing cloud regardless of model, because it fosters conversation that leads to collaboration before applications are deployed without any regard for security.
Losing control over the environment in which you must provide for the security of applications and data critical to business success doesn’t have to be a negative. The reality is that security threats have been migrating up the stack, toward the application, for years and the move to cloud exacerbates that focus because the layers no longer exposed to you are also no longer as exposed to attackers. Consider cloud as an opportunity. Depending on the cloud model, you’ll have less to worry about securing, leaving more time to focus on those assets that are most critical to success in today’s application economy: the application and its data.
Lori MacVittie is a subject matter expert on emerging technology responsible for education and evangelism across F5’s entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University, and is an O’Reilly author.