Rethinking IT Security in the Age of the Cloud

There’s obviously a lot of concern when it comes to the security of public cloud computing services. But there’s also a lot of opportunity to right the mistakes of the past as IT organizations move to embrace what amounts to a fundamentally new approach to enterprise computing.

With that goal in mind, IBM has developed five best practices for public cloud computing that IT organizations should keep in mind as they move to the cloud. Cloud computing, says Harold Moss, IBM CTO for cloud security strategy, is fundamentally more secure than most existing on-premise IT deployments because of the amount of expertise that can be brought to bear on a single deployment and the use of modern security frameworks to safeguard these installations.

In fact, most on-premise IT installations rely on what Moss calls "bolt-on security" versus an approach that builds security into the core of the IT infrastructure by design, which Moss says has been a hallmark of IBM security that harkens all the way back to the mainframe.

But that doesn’t mean, adds Moss, that just because an application workload is deployed in a public cloud that the internal IT department is not responsible for managing it. Moss says it’s critical for IT organizations to make sure they have the proper level of controls in place to secure application workloads both inside and outside the enterprise. To that end, internal IT organizations will need access to monitoring tools that allow them to be certain that all the security parameters that have been outlined in the service-level agreement (SLA) are followed.

The biggest issue with security in the cloud, however, may be that security concerns allow IT organizations to avoid having to confront more difficult issues, such as a fundamental inability to effectively manage data in the cloud. Rather than confront those issues directly, it’s simply a lot easier to roll those issues up under security because it allows the internal IT management team to avoid having some difficult conversations with the senior leadership of the business.

But one way or another all of these issues are going to have to be confronted in the months ahead. And the first step to making that happen is to stop making security the scapegoat for everything that is currently wrong with the way we manage internal IT.