A Tale Of Two Infrastructures: Security and the Cloud

At the end of Charles Dickens’ tale of post-revolutionary France, Sydney Carton sacrifices himself in order to preserve the life of a man he considers more worthy. It’s a noble act, immortalized by his final words: “It is a far, far better thing that I do now, than I have ever done;”

Of course, he has the advantage of being able to foresee the future benefits of his sacrifice. He is impelled, in fact, by the certainty that his short-term suffering will be repaid many times over in the next life, and indeed this one. Sadly, the rest of us don’t have that option.

In a recent Vanity Fair article on the nature of advanced persistent threats, (APT), Michael Joseph Gross recounts a discussion between an embattled CIO and his CFO discussing their vulnerability to attack:

“What’s the worst that can happen if we don’t fix any of these?” the CFO asked. “We have large exposure,” answered the CIO. “We could potentially be attacked … ”

“No, no, no. What is the financial impact if we don’t do any of these?”

“We’re not regulated or audited, so there won’t be any fines,” said the CIO.

The CFO answered: “You get no budget,” and the topic was closed.

Now you could certainly argue the fault here lay with the CIO for not adequately presenting the long term risk to the company of a serious breach. Or, that the CFO should be more aware of the fact that corporate responsibility should extend beyond just short term regulatory costs.

But, finger pointing aside, this does present an illuminating insight into the way that businesses of all kinds look at the costs, and benefits, of security. After all, security processes are always a trade off, and security spend is, and should be, based on solid cost-benefit analysis.

What concerns me, though, are the implications this has for cloud security. After all, organizations on the whole tend to favor short term pain avoidance, and ignore long term security goals that map poorly to hard numbers and specific costs.

So as the pressure to realize the cost-savings from cloud services ratchets up (and it surely will continue to do so for some time) then the importance of ensuring the security of cloud services will diminish, lost in the cloud feeding frenzy.

Yet, the move to cloud represents an opportunity to re-think security for information and services. In fact, it demands it. But, to get it right — to reset all the mistakes of the past and start out on a sound footing — requires time and planning and breathing room for the security folks. And this is running out.

Sooner or later, that almost primal urge of the corporate organism to maximize profit and avoid immediate pain will overcome caution and the wholesale adoption of cloud computing will happen. Perhaps it already is. One thing is certain though: it will happen whether the security industry is ready or not.

Cloud, unlike so many previous over hyped technologies, really does look like it will revolutionize the way individuals and businesses utilize information technology. But there is an important lesson that we should not forget about revolutions: they are often bloody affairs, and rarely enjoyed by those that must live through them.

This revolution may be much the same. While pundits and business planners alike are chanting in the streets about liberty and the freedom to utilize any services, anywhere, the gutters may quickly run red if things in the cloud turn sour.

If the short term pain of regulatory compliance and the cost of handling breaches begin to take a bite out of the much-vaunted cloud cost savings, then security practitioners will once again be asked to paper over the cracks and make the best of the poor planning and hasty decisions that have already become de-facto standards.

And so, as Dickens wrote at opening of that very same novel: “It was the best of times; it was the worst of times … ”

Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others. Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.