Welcome!

@CloudExpo Authors: Elizabeth White, Yeshim Deniz, Liz McMillan, Pat Romanski, Ravi Rajamiyer

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Blog Post

Moving to the Cloud By @EFeatherston | @CloudExpo [#Cloud]

The cloud is no less secure than your current internal environments (for many, it may actually be more secure)

Moving to the Cloud – Can I Take My Security with Me?

You can't have a conversation about technology today without the topic of security breaches ending up front and center as a key concern. This is understandable with all the high profile breaches that have been occurring on what seems a regularly scheduled event. Anthem, the nation's second largest health insurer is the latest in a long line of high profile breaches that have occurred recently. Given the size and severity of these breaches, security is very visible on everybody's radar. This is especially true when discussing migration to the cloud. Unfortunately every breach can result in slowdowns or impediments to cloud migration plans.

The reality is breaches are not going away (see ‘The cloud, security, & breaches - Are the Barbarians at the gate?' for a discussion on that). That doesn't mean you should abandon any plans on migrating to the cloud. The cloud is no less secure than your current internal environments (for many, it may actually be more secure). As with anything else, the key to success is proper planning and designing of your solutions. Let's talk about some of the considerations that need to be addressed that can help alleviate concerns that may be raised due to the hype and emotion of the high profile breaches.

Who owns security in the cloud?
Whether your cloud migration is a SaaS solution, an in-house application migrating to an IaaS solution, or anything in between, ultimately the security of your system is your responsibility. I know there are some that may take me to task with that statement. Let me clarify by saying what that responsibility translates into. It is dependent on the type of implementation/platform being considered. SaaS solutions have security mechanisms and capabilities baked in. So it would seem that the SaaS provider is responsible for security. While they own the technical implementation, you own defining what your security requirements are for that system. Key to that is defining the SLAs you have with the SaaS provider, ensuring they meet or exceed your requirements. The SaaS provider is responsible for executing on those SLAs once they are defined. As you get further down the platform food chain towards IaaS, your responsibility and ownership grows. As well as defining the requirement, you are then responsible for defining the implementation as well.

This is no different than if these applications were in-house, and not in the cloud. Over the years you have probably had many COTS (Commercial off the Shelf) packages deployed. The security implementation is baked into those, just as in a SaaS solution, but you (hopefully) defined what the security requirements were for the package. With house developed applications, as with an IaaS implementation, you were responsible for defining the requirements as well as the technical implementation. Dealing with security concerns in the cloud is no different than dealing with security concerns internally.

One other piece of ownership that sometimes gets forgotten: security testing. No matter the platform, you should own the testing and validating of the security mechanisms in place for your cloud solution. When you define your security requirements, ensure they are measurable, and that a test plan is developed for validating those measures.

Can I take my security with me?
Absolutely. Any of the industry standard security mechanisms are available from all the major cloud providers and implementations. The cloud is not magical; it is still made of the same hardware and software systems you use on a regular basis, and the same security mechanisms are available. The question really should be: Do I want to take my security with me? As with any rationalization process (and migrating to the cloud is a rationalization process), one of the steps should always be a re-evaluation of current security mechanisms. This is an ideal time to determine if there are any new requirements (perhaps based on learnings from recent breaches for example), identify gaps, and select a solution to address those gaps.

A critical component to consider when migrating to the cloud is: How will the data be secured during the migration process? Securing the application is straightforward, as the normal considerations when developing an application apply. The difference when migrating to the cloud, specifically if migrating to a public cloud, is the security mechanisms needed to ensure the data is protected during the transfer process. This is not a step that is usually considered in standard application security mechanisms, and can result in creating a risk during the transition process. This should not be a show stopper, just ensure it is included in the plan and design.

Don't let your migrations be governed by hysteria, hype, or emotion
As I discussed in the article ‘Moving to the Cloud - Cloud Rationalization,' Rule #1 in migrating to the cloud is take the emotion out of the equation. Also avoid migrating because of the hype. Not everything should or will go to the cloud, but don't let fear and hysteria about breaches and security risks be the reason for not migrating. Do the proper planning and design, define what the security needs and risks are based on the data within the system. Not all data is created equal - some should be more secure than others. Our job as technologists is to ensure the processes are in place, and the business educated to the real vs perceived risks, so that the decisions are made based on reality and business value, not on the latest breach in the headlines.

This post is brought to you by The DNA of The Cloud, Intel and Verizon.

More Stories By Ed Featherston

Ed Featherston is VP, Principal Architect at Cloud Technology Partners. He brings 35 years of technology experience in designing, building, and implementing large complex solutions. He has significant expertise in systems integration, Internet/intranet, and cloud technologies. He has delivered projects in various industries, including financial services, pharmacy, government and retail.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
SYS-CON Events announced today that Nihon Micron will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nihon Micron Co., Ltd. strives for technological innovation to establish high-density, high-precision processing technology for providing printed circuit board and metal mount RFID tags used for communication devices. For more inf...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Suzuki Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Suzuki Inc. is a semiconductor-related business, including sales of consuming parts, parts repair, and maintenance for semiconductor manufacturing machines, etc. It is also a health care business providing experimental research for...
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundations go together. In this power panel at @DevOpsSummit 21st Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, industry experts will discuss how leading organizations build application success from all...
SYS-CON Events announced today that mruby Forum will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. mruby is the lightweight implementation of the Ruby language. We introduce mruby and the mruby IoT framework that enhances development productivity. For more information, visit http://forum.mruby.org/.
Cloud-based disaster recovery is critical to any production environment and is a high priority for many enterprise organizations today. Nearly 40% of organizations have had to execute their BCDR plan due to a service disruption in the past two years. Zerto on IBM Cloud offer VMware and Microsoft customers simple, automated recovery of on-premise VMware and Microsoft workloads to IBM Cloud data centers.
Why Federal cloud? What is in Federal Clouds and integrations? This session will identify the process and the FedRAMP initiative. But is it sufficient? What is the remedy for keeping abreast of cutting-edge technology? In his session at 21st Cloud Expo, Rasananda Behera will examine the proposed solutions: Private or public or hybrid cloud Responsible governing bodies How can we accomplish?
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness.
Elon Musk is among the notable industry figures who worries about the power of AI to destroy rather than help society. Mark Zuckerberg, on the other hand, embraces all that is going on. AI is most powerful when deployed across the vast networks being built for Internets of Things in the manufacturing, transportation and logistics, retail, healthcare, government and other sectors. Is AI transforming IoT for the good or the bad? Do we need to worry about its potential destructive power? Or will we...
In his session at @ThingsExpo, Greg Gorman is the Director, IoT Developer Ecosystem, Watson IoT, will provide a short tutorial on Node-RED, a Node.js-based programming tool for wiring together hardware devices, APIs and online services in new and interesting ways. It provides a browser-based editor that makes it easy to wire together flows using a wide range of nodes in the palette that can be deployed to its runtime in a single-click. There is a large library of contributed nodes that help so...
IBM helps FinTechs and financial services companies build and monetize cognitive-enabled financial services apps quickly and at scale. Hosted on IBM Bluemix, IBM’s platform builds in customer insights, regulatory compliance analytics and security to help reduce development time and testing. In his session at 21st Cloud Expo, Lennart Frantzell, a Developer Advocate with IBM, will discuss how these tools simplify the time-consuming tasks of selection, mapping and data integration, allowing devel...
The last two years has seen discussions about cloud computing evolve from the public / private / hybrid split to the reality that most enterprises will be creating a complex, multi-cloud strategy. Companies are wary of committing all of their resources to a single cloud, and instead are choosing to spread the risk – and the benefits – of cloud computing across multiple providers and internal infrastructures, as they follow their business needs. Will this approach be successful? How large is the ...
SYS-CON Events announced today that B2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. B2Cloud specializes in IoT devices for preventive and predictive maintenance in any kind of equipment retrieving data like Energy consumption, working time, temperature, humidity, pressure, etc.
What is the best strategy for selecting the right offshore company for your business? In his session at 21st Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, will discuss the things to look for - positive and negative - in evaluating your options. He will also discuss how to maximize productivity with your offshore developers. Before you start your search, clearly understand your business needs and how that impacts software choices.
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp em...
SYS-CON Events announced today that SIGMA Corporation will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. uLaser flow inspection device from the Japanese top share to Global Standard! Then, make the best use of data to flip to next page. For more information, visit http://www.sigma-k.co.jp/en/.