The cloud is ready for mass consumption; in fact, it’s arrived. This is no longer an early-adopter’s game.
It’s another day, and another article about the security risks of cloud storage lands on my desk. It makes me feel as though someone was searching for a click-bait topic.
Except the “fear the cloud” articles have become less and less relevant.
Every technology innovation goes through an adoption cycle. I’m not saying that the arc of cloud storage has reached its highest point, yet; we have plenty more to learn. However, I feel strongly that, as an industry and as cloud technologists, we are done with the phase of making foolish mistakes. These days, we — both service providers and the customers whom we serve — have realistic expectations and realistic outcomes. Cloud storage has indeed reached its tipping point for mass adoption.
No disruption is even-sided.
People blamed AC current as the reason for deaths from electricity in the 1800s. As a result, people stuck with kerosene for a long time before they realized they could safely lease electricity from a power station without fear of blowing up the backyard with a personal generator (and also have to keep a local specialist on-site to maintain it).
In the sense of an industry responding to change, IT is no different.
What are the biggest fears in regard to cloud computing? Today, it’s security, durability of service, and vendor viability. Behind all three of them is IT’s desire – its need – to trust the cloud and its providers, on everything from performance to data privacy.
I feel strongly that we’ve made significant inroads in addressing each of these areas. Herein I address some of the innovations that have made cloud concerns far less of an issue than they are presented to be.
To begin with, there are a lot of recent security technology advances to point to.
Encryption has gotten much better, both in the data center and in the cloud.
Among the industry’s recent achievements that better protect the cloud are:
- Hardware security modules (HSMs) have become more common. HSMs are dedicated cryptography processors, designed to protect the crypto key lifecycle, validated for security by trusted third parties (including FIPS 140-2, Common Criteria, PCI HSM, and FIPS 201).
- Digital envelope encryption uses secure electronic data containers to protect a message through encryption and data authentication, using secret key encryption and the convenience and security of public key encryption. Druva is among the companies that uses digital envelope encryption, one of the security standards managed by RSA.
- Homomorphic cryptosystems, using mathematical operations on ciphertext, enable search archives to be encrypted, with long term benefits to both security and corporate in-house data analysis.
The software tool-chain has evolved.
As a result, the process of making things secure has gotten easier. A few of the enhancements:
- On-demand penetration testing has lowered the bar for affordable security testing. Organizations can hire professional ethical hackers online to perform “pen tests” for Software-as-a-Service (SaaS).
- Geo-fencing helps to ensure devices and users are where they’re supposed to be. Geo-fencing creates virtual barriers by gathering location information about the users. When a device enters (or exits) defined boundaries or an IP address range, alerts can be generated and acted upon. So, in the case of Druva’s inSync, if a mobile device suddenly appears in China when it belongs to a user in Chicago, that location may indicate a lost item, and an administrator can disable the device. But plenty of other uses for geo-fencing benefit cloud users and the IT staff that support them.
- Intrusion detection systems (IDS) are, as their name implies, anything that works to protect against unauthorized access and to detect vulnerability exploits. These may be network based, host based, or part of a physical infrastructure. And, obviously, they are a good part of the architecture of the cloud.
Compliance and governance have become part of the security landscape.
Compliance with government and industry regulations have long been part of the IT department’s mandate. But in recent years, the trend has been for these areas to be under the security umbrella — something I see as a good thing.
In particular, guidance around operations has evolved for shared infrastructure. We see this in the shared infrastructure used for both auditing and managing software. One example: the adoption of standards such as ISAE 3402, an international assurance standard for public accountants regarding the controls at service organization that are part of financial reporting.
- Cloud automation and management software is emerging. New deployment and automation tools such as Docker help IT departments in reducing errors, and help them with scalability and security.
- Data privacy laws are more tolerant and are gaining adoption.
As I explain elsewhere:
Data privacy should be part of every company’s day-to-day operations; policies, procedures and technologies should be in place to address potential risks. Companies need to comply with data-residency laws to protect corporate and employee data privacy. Also, companies need to not only govern and protect data, but also ensure that cloud service providers meet stringent data-privacy guidelines for storing data in the cloud.
Fortunately, data privacy standards are becoming better understood, and the ecosystem that enabled better security practices is today expanding to data privacy as well. (See my earlier post, For User Data Privacy: Think Globally, Act Locally.)
Vendors have earned customer trust
When we talk about the viability of the cloud, what we’re really discussing is customers’ readiness to put their trust in the partners they rely on — particularly the vendors who provide their infrastructure and are responsibility for protecting their data. Here, too, I see several trends that tell me, “We’re past the ‘new and unproven’ stage.”
The cloud has built a viable and vibrant ecosystem. Vendors are doing more than coming up with gee-whiz technical innovations and announcing them at South by Southwest. They’re working to be (or become) profitable faster, with solid business and go-to-market models. Their software architecture has “in it for the long term” built in, such as security features that once were afterthoughts. And vendors are designing their sales and channel compensation to benefit their business partners and resellers as well as to improve the lives of their direct customers.
The tension between OPEX and CAPEX is helping vendors plan costs, and making buyers more risk averse. That sounds like a negative — how can it be good for buyers to be more risk averse? — but it’s a sign of health. People are making business decisions based on the numbers instead of hype, and vendors are thinking about the cost of goods sold rather than “first to market at all costs.”
As a result, I see cloud computing becoming the platform for future innovation. All new startups find it easier to bootstrap and launch a cloud solution rather than a data center solution. So from here on, I expect most funding for innovative startups will go to the businesses whose solutions are designed first (and probably ultimately) for the cloud.
With so much energy going into this kind of cloud-centric computer science research, I argue that the cloud security technologies have leapfrogged what we see in dedicated data centers.
Get a free trial of Druva’s single dashboard for backup, availability, and governance, or find out more information by checking out these useful resources: