I enjoyed Matthew Gardener's blog this week on the potential for the re-emergence of security silos as a result of the growing move out into the cloud. I think he's right, of course.
If you think of the emeregence of any number of technologies, from desktop computing, through client-server, to the Internet itself, there has always been something of a wild-west feel to the way businesses adopt and adapt to the changing IT landscape. The pressure to utilize new technology comes from the operating business units, not from the IT security teams, and so time and again history shows us that security is left running behind the covered wagon as it heads out across the lawless plains in search of riches in the untamed frontier.
OK, maybe that's a little much on the extended metaphor, but hopefully you get the general idea. The need to adapt technologies generally pushes far ahead of our capacity to do so securely, and as a result we are doomed to repeat the same mistakes, over and over and over.
There's a chance that Cloud will be different, but I have my doubts that in retrospect it will be all that different this time around.
It's certainly true that organizations are trying to take a more mature approach to cloud adoption, a fact that is acting as a brake on what could be an even more explosive growth of cloud services and offerings. However, there is another factor at work here that is also having an impact, and will continue to redefine the way we secure the cloud: by its very nature the cloud is changing the relationship between business units and central IT functions.
Instead of coming to the central authority and going through a formalized process for provisioning services and resources, business units are now being seduced by offers of instant cloud gratification, without the need to go ask permission. It's a heady prospect. And that loosening of control is changing the way that security teams will need to operate within the business. In fact, at the very time when there the next wave of highly disruptive technology is breaking upon the shore and the opportunity to not repeat the mistakes of the past offers itself, it is at this moment that the ability of the security function to influence how things are done is being challenged.
It reminds me very much of my eating habits as a teenager. While I was living at home, Mom cooked, and pretty much decided what and how I ate. (Yes, broccoli, I will never love you.) But once I moved out, once the parental reigns of control were loosened, then things changed, and sadly, not for the better. My ability to go and satisfy my immediate cravings may well have helped McDonald's bottom line, but I doubt my Mom would have approved.
What was needed was for me to police my own diet. I needed a solid framework to base good decisions on, and then I needed to understand that I would going to be responsible for my own actions. If I needed advice (and oh, did I need advice) then Mom was just a phone call away.
Does this start to sound familiar?
In order to be able to securely utilize cloud offerings, the business units themselves must operate on a model of a far more decentralized security framework, looking to IT security teams for guidance and assistance. This approach has been adopted by the more mature organizations for a long time, but as the pressure to deploy cloud computing and storage grows, it will become a necessity, not an operational goal.
The cloud offers the chance to provide rapid, decentralized computing resources, that are 'owned' by the business units that need them. Security, if we are to have any chance to protect the critical resources leaving the perimeter, must learn to operate in the same way.