Dublin on May 24 was a blast (or as they say in Ireland, “craic”). For those of you who missed it, this was the opening day of the 2016 SecureCloud conference hosted by the Cloud Security Alliance (CSA) and the European Network Information Security Agency (ENISA). Normally when I discuss the direction that cloud computing is taking, I state it will be used more for what we can describe as critical services. Admittedly there are many use cases in which this already happens, but it is not yet ubiquitous.
The host for SecureCloud was Brian Honan, my co-author for the CSA Guide to Cloud Computing. Brian had previously illuminated the fundamental challenge that we face with cloud computing. It was a couple of years ago, and I was presenting on the role of cloud computing within critical infrastructure. My co-author then sent an email to me with a link to a company that advertises a “cloud SCADA control system”. At the time, their website had a link to the security provided by their solution:
“Security - Unlike PC-based SCADA systems that are vulnerable to virus and malware attacks, our system is housed on cloud based servers. These servers are overseen by highly skilled technicians negating the need for anti-virus updates and continuous security vulnerability patches required by PC-based solutions.”
Having providers address security in such a way is simply unacceptable. We are moving toward more ubiquitous use of cloud computing in enterprises, and in particular critical services. Along the way, there have been some misconceptions such as the example above around cloud – that somehow it was beyond requiring security. Truthfully, cloud is only someone else’s data center – one with less transparency for enterprises. This has resulted in a distrust of cloud by enterprise to keep their data safe. In fact, 82% of CISOs say they don’t trust the public cloud to keep their organization’s data secure.
As a result of the rising adoption rates of cloud combined with this inherent distrust, we will witness the advent of new technologies to meet the security appetite of enterprises. For example, I have been a big supporter of the advent of CASB (Cloud Access Security Brokers) and in particular the availability of a third-party key server. These technologies could truly be enablers for businesses to leverage the cloud to support critical operations, while ensuring the required security is in place for data protection and compliance.
My key takeaway from the conference is this: As the cloud becomes a critical component of every part of our lives – in the workplace and at home – we need to ensure that it is a trustworthy platform. Hence, the work that the CSA and ENISA are doing is critical to develop tools and advice so that we can have a platform that everyone in the enterprise trusts to securely deliver the services required in our digitally connected age.