I just listened to an excellent webcast by Neil MacDonald at Gartner on “Why Cloud-Based Computing Will Be More Secure Than It Is Today”. Gartner says that security concerns seem to be top of mind in different surveys on the adoption of cloud computing. Security is important, but people are focusing on the wrong thing.
Many organizations focus on securing or locking down devices. IT locks down servers, firewalls, desktops, mobile devices, you name it. That is a part of the solution, but what is really most important? It’s controlling the outcome of a process, and that is typically about the information.
MacDonald gives a great example of how organizations already give their most important data to 3rd party providers. Think about payroll. Most companies outsource this process. Talk about sensitive data. Somehow we trust those organizations with the security of our personnel information.
So what’s the fear with cloud computing? People are worried they will lose control of the infrastructure and not know what’s going on behind the curtain. Does this really matter if you are in control of your data and the outcomes of your business processes? Think about your cell phone. Many businesses provide cell phones to their employees, but they don’t control the cellular network. They use a service and someone else provides the infrastructure to make it work.
Cloud service providers design for security, resiliency and failure. They assume that components break, servers go offline, systems are attacked by hackers and power outages happen. They have redundant data centers with incredible physical security. They have multilevel data security, including filtering routers, firewalls, intrusion detection systems, system-level security and application-level authentication. What matters is end-to-end process continuity and the safety of my information. As long as I can access my email or CRM information, I don’t really care what tools the providers use to provide my service. I pay them to worry about that and they respond to me with a service level agreement (SLA).
Thinking this way is a major change for IT. Or is it? When everything was in a mainframe, IT had ultimate control over devices and information. When PCs came about, there was a loss of control and distribution of information. When LANs and WANs appeared things got worse, because now people could move information almost anywhere. IT lost control, but somehow we survived and the computing experience improved.
Cloud computing forces us to understand and protect the outcome, not the means. With mobile computing, I have the ability to access and store information on lots of devices. Rather than worrying about locking down each device, I should worry about protecting my information. If I store it in the cloud, it should be encrypted. The channel I use to retrieve it from the cloud should be encrypted. This way, my information is secure regardless of how I access it or where it lives.
One of the major things we protect against is running malicious code. Whether it’s a desktop application or a server-based system, we are executing code developed by someone else. How do you know the code won’t cause havoc on your system? With cloud computing, you are sharing capability, not code. The code is running in a datacenter and you are accessing capabilities through a browser or mobile application. This is a safer prospect.
Giving up control of IT infrastructure is a big shift in the thinking of organizations. But just like when companies stopped producing their own electricity and bought it as a service, the change will be beneficial. If I get on a plane to travel to another city, all I worry about is getting there safely, in comfort and on time. I am buying a service and I don’t need to control process. I care about the outcome.
Worry about business outcomes and not controlling the components to get there.
Photo credit flash.pro