Cloud Security: 7 Dealbreakers for the Enterprise CSO

Security concerns, according to a 2013 survey by 451 Research, remain the most significant pain point for cloud implementations, cited by 30% of respondents – 12 percentage points ahead of the next most cited concern.[1] It’s easy to see why: If the Cloud remains misty to CSOs tasked with maintaining predictability and minimizing exposure, it poses a significant and sometimes intolerable business risk.

It doesn’t have to be that way…

The Enterprise Cloud, when it lives in a manufactured, standardized software-defined data center, can be more secure, predictable and safe than the cardboard-box approach. 

Many CSOs see themselves in the backseat of Cloud migrations, which often are viewed as a CIO-driven effort to avoid capital expenses associated with increased IT capacity. But in fact, the CSO stands to substantially improve predictability and mitigate risk if the Enterprise Cloud ­ is specifically engineered to address the visibility, control, and privacy requirements of large, sophisticated consumers of data center capacity.

“If you’re resisting the cloud because of security concerns, you’re running out of excuses.”

— Forrester analyst James Staten

The Enterprise Cloud’s promise to the CSO: Predictability and risk mitigation

To satisfy the CSO, the Enterprise Cloud  must be designed to enhance predictability and mitigate risk.

Done right, the Enterprise Cloud can improve predictability by:

  • Replacing overbuilt, fixed-cost, CapEx IT infrastructure investments with fit-for-purpose, pay-as-you-use, elastic, and standardized capacity
  • Offering a policy-based IT governance model to promote compliance with internal and external regulations
  • Arriving with an open reference architecture that is vanity-free, designed for scale, and highly-efficient, to provide the desired functionality at the lowest cost (this matters to CSOs because  accurate and sustainable cost projections are part of system integrity).

Done right, the Enterprise Cloud can mitigate risk through:

  • Deployment on any premise: even if security requirements mandate your data be kept behind your own walls, you can do so within a standardized, software-defined data center that still offers the agility, security and cost benefits of hosted solutions
  • Providing full global mapping, visibility, and control through a data center operating system that allows the monitoring and control of physical and virtual IT assets, down to the rack

To realize the above, the CSO must make certain demands of Enterprise Cloud. Here are seven that should be considered table stakes: CSO Dealbreakers: 7 requirements to insist upon in Enterprise Cloud 1.      Demand that your Enterprise Cloud live in a software-defined data center – Enterprise Cloud must offer the ability to deploy globally,  within world-class, Uptime Institute Tier III Design Certified data centers. Uptime Institute Tier III demonstrates that the data center has concurrently maintainable site infrastructure.

For some enterprises, security regulations mandate that data be kept on the organization’s physical premises. That need not eliminate Cloud as an option. The modular software-defined data center platform, for example, can be deployed on your prem behind your firewalls, reducing your company’s exposure to security threats and ensuring audit compliance. Indeed, the U.S. military, which has some of the strictest security requirements of any organization, has decided that “Modular data centers offer an approach to quickly set up cloud computing capacity, add additional capability to existing cloud computing data centers, and easily refresh or update existing capability.”[2]

 2.      Demand compliance with government, industry, and internal regulations – Enterprise Cloud can, and should, be configurable to govern access to compute, storage, and network resources based on corporate rules and policies. In other words, security requirements for Enterprise Cloud are not one-size-fits-all; each enterprise can define its own access rules. So if, for example, access to the company’s ERP system hosted on internal servers is limited to finance managers above a certain level, access to the system in the Cloud can be restricted in the same way.

That is a capability Forrester analyst James Staten alluded to recently, writing, “We’ll see cloud security vendors letting you articulate cloud security requirements in executable automation of business policies.” As a result, wrote Staten, “Enterprises will achieve better security this way than on their own.”[3] When Cloud governance is configurable, it can be made compliant with the needs of the enterprise, even those in the most highly regulated industries. 3.      Demand certified, secure infrastructure – When it comes to compliance, where the Cloud lives matters. In last week’s blog post (CEO Need-to-Know: Enterprise Cloud needs the SDDC) Nathan Cables talked about the software-defined data center as the foundation of the Enterprise Cloud. To achieve the promise of predictability and risk mitigation, Enterprise Cloud must live within manufactured, standardized software-defined data center infrastructure that is Underwriters Laboratories-listed, Uptime Institute Tier III concurrently maintainable, and PCI-compliant. The data center must have a converged security platform that provides security at the physical infrastructure layer and the logical layer.

4.      Demand protection of physical/virtual environments and organizational IP from exploitation, disruption, destruction, and theft – As written a few months ago in the first of a three-part security series, cyber threats are increasingly sophisticated and increasingly destructive. There are three categories of threat: exploitation, disruption, and destruction. Threats to enterprise IT can be both physical and logical.

An SDDC should enable the implementation of enterprise business and policy rules that ensure greatest protection for the highest value assets a company owns, as well as proper  logical/physical attribution of those assets anywhere, anytime. If the Cloud is hosted in a provider’s data center, you should be able to choose your own module, which provides an additional layer of physical separation from other customers and dedicated environmental subsystems. In addition, because each module can run a separate application environment, you can compartmentalize users, departments, and applications and configure security and resiliency accordingly.

5.      Demand open architecture – The secure Enterprise Cloud should be based on an open reference architecture that is vanity-free, designed for scale, highly-efficient, and low  cost. Open architecture mitigates the risk that the enterprise will get locked into expensive proprietary infrastructure that reduces predictability by keeping the manufacturer in control. Furthermore, the cost-effectiveness of open Cloud architecture enables the enterprise to deploy dollars to security and other strategic investments.

6.      Demand full global visibility and control – The software-defined data center platform, the foundation for the Enterprise Cloud, provides full monitoring and visibility into physical and virtual components across internal and external environments – globally. You can drill down to a particular data center and instantly identify where an issue may exist. Furthermore, IT can automate the migration of workloads from one environment to another based on thresholds you define. With the Enterprise Cloud, no data is ever out of sight or out of mind. In fact, it can be more visible and responsive – hence more secure – than traditional  servers  in your own building.

7.      Demands data sovereignty support – The Snowden revelations have brought privacy issues to the fore, but also issues around data sovereignty and custody—in other words, in a complex data management ecosystem with constituents at every layer of the stack, who gets subpoenaed?  Who is liable? Who must decide what, if any, data to turn over?  For multinational enterprises, this can pose a challenge, given that third-party data center and Cloud providers in other countries, particularly emerging markets, may have yet to develop the level of security of U.S. and European providers. Enterprise Cloud, on the other hand– when it is founded on a software-defined data center– enables global “any prem” location. The enterprise can manage globally distributed IT resources through a single operating system that pinpoints what/where application workloads are being run, and by whom – down to the rack within the data center – and enables redeployment to comply with changing sovereignty requirements.

 

So for the enterprise, the Enterprise Cloud must live in a software-defined data center if it is to meet CSO requirements (be deployable in any safe location globally, tell us what data is running, where, and under whose provenance).

CSOs are right to be vigilant about the security implications of migrating to the Cloud. But rather than exacerbating security risks, Enterprise Cloud actually enables greater security by starting from a secure, software-defined data center.  Such solutions are available, and the CSO should demand them.

 


[1]451 Research, 30 Aug 2013.

[2] Defense Science Board, “Cyber Security and Reliability in a Digital Cloud” Jan 2013.