By George DeBono, General Manager, Middle East & Africa, Red Hat
If you pay any attention whatsoever to tech press coverage and IT industry analyst reports, you know that security concerns about "the cloud" (however that term is being used at the moment) consistently top the list of adoption concerns. Even if naïve cloud safe/unsafe arguments have mostly been retired in favour of more subtle discussions, there's still a lot of complexity and uncertainty.
Security becomes more consumable
This is partly because the "security" moniker often serves as a sort of shorthand for a variety of compliance, audit, regulatory, legal and governance issues that are often only indirectly related. It's also because, as an industry, we're dealing often with new approaches to computing and delivering application services that don't have clear historical antecedents and established approaches to mitigating associated risk. As a result, dealing with security and associated concerns in the cloud sometimes seem to require true experts in the field, who are almost by definition in fairly short supply.
That's why we're encouraged by the efforts of organisations like the Cloud Security Alliance (CSA), which Red Hat joined back in October. The CSA's mission is to promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure additional forms of computing. While the CSA's work benefits everyone, its most important role may be "democratizing" the process of securing and running clouds so that organisations operating and using clouds don't need security rocket scientists on staff. Expect to see tools for more easily and systematically securing clouds gain more attention in 2013.
But data security and privacy remain vexing, and increasingly high-profile, issues.
At one level, protecting against data breaches in the datacentre is a fairly straightforward security problem without many new wrinkles relative to the practices that IT professionals have been following for decades. However, in many respects, we are in a place that's different in kind from times past.
Some of this difference is about connectedness and scale. While security models have been shifting from walled perimeters to defence-in-depth since the early days of the web and e-commerce, cloud-based applications made up of composable services from multiple sources vastly increase potential attack surfaces. It's a vastly more complicated security problem than setting the ports correctly on a firewall.
Perhaps even more problematic, though, is even determining how specific data and data relationships need to be treated and which laws apply. As Dave Einstein noted in a recent post on Forbes: "Adding to the uncertainty is piecemeal evolution of regulations governing privacy and data security, which depend largely on where you live and do business. Europe, Australia and Canada are in the forefront of tackling data protection, while the U.S. lags, leaving a thorny legal landscape for multi-national Internet companies."
We expect the overall data security and privacy situation to get worse before it gets better.
After all, some of the issues date back to before the Internet went mainstream. The issues have just become more visible and more complicated. We've already seen big fines imposed for even relatively minor medical records breaches. Expect to read about more fines in the coming year but only incremental movement ahead on the macro issues around appropriate uses of data.
Bring-Your-Own-Device doubters reach the fifth step: Acceptance
BYOD is one of the trends that some like to cite as a key cloud security issue given that it takes control away from IT and puts it in the hands of users.