Gartner: Cloud Security Is Better Than What You Have Today
Cloud-based computing will be more secure than on-premise computing and anyone who thinks they have control over their IT is just kidding themselves, according to Neil MacDonald, Gartner vice president and fellow.
"Like it or not, you are losing control. Any control you have is just an illusion," MacDonald, told an audience of CIOs at Midsize Enterprise Summit West in San Antonio, Texas.
He noted that 70 percent of companies outsource their benefits management and payroll processing, information that needs to be secure. "The idea that we outsource sensitive data and lose control ... we're already doing that," MacDonald said. "It's the same thing with CRM. . "It's the same thing with CRM. Salesforce.com has 80,000 customers and two million users. Isn't customer data some of the most sensitive data you own and yet we open it up and put it in control of others."
MacDonald noted a number of other areas where "cloudification" is already prevalent: collaboration, mobilization, consumerization and virtualizaton.
"We're tearing down the walls of our enterprise. The mobilization of the workforce demands anytime access. With consumerization you can [reach] corporate assets from any type of device. Users are demanding this," he said. "If you extend that mindset, if the workload can move from this data center to that data center, heck we might as well just move it to Amazon. All of these are taking place simultaneously. Increasingly, we do not control elements of our IT infrastructure. Cloud is just one element of that, and yet we're fighting it."
Securing information is not the same as controlling that information, MacDonald said. "Can we achieve that type of protection as we embrace cloud? I believe we can. In the past we had the idea that control is a proxy for trust. If I have control, I trust. If I don't have control, I don't trust. But that assumption is flawed. I have devices that I can control that can be infected. Cloud challenges these assumptions," he said.
Organizations need to build their IT infrastructure based on resiliency, not on preventing failure, MacDonald said. "Failures happen. Individual devices, hard drives, are going to fail. But what I build in a cloud-based service is the resiliency of the outcome, regardless of the individual device. It doesn't matter what caused the component to fail when the design is for the resiliencey of the outcome."
Next: Security Baked Right In
Cloud is also the first generation of IT to bake in security, rather than treat it as an afterthought, MacDonald said.
In addition, security infrastructure is becoming programmable. Much the way organizations pool resources on the computing side, cloud security can pool resources to ensure the resiliency of the information. "Eighty percent of [security] failures are the direct result of misadministration and poor configuration. Instead of somebody programming a firewall or a switch or a router, you shift to programming information security polices and workloads."
During the presentation, MacDonald illustrated Microsoft's license agreement for Exchange, noting that the end user ultimately holds the risk if something goes wrong. But in the cloud, the service provider holds the risk, which should make it more attractive to customers.
"They are taking responsibility for the availability of the service that they deliver. That's quite a shift," MacDonald said.
The biggest hurdle prohibiting the growth of cloud services is "trustability," MacDonald said. Companies need to trust the service provider enough to engage in a transaction in a multitude of different contexts, he said. "That line shifts all the time," he said.
By 2015, security and privacy will not longer be the chief concerns regarding the adoption of cloud by business executives, MacDonald said.
"My recommendation is to focus on outcomes, not control. The transformation is going to take place and you don't have your control anyway. Baseline your security profile where the business needs to be and hold cloud providers to this," he said.