I was having a discussion with a few colleagues about control in the cloud versus on premise data centers. In that conversation I realized that the IT community has very little understanding of cloud security versus OnPrem security. In talking to my colleagues and customers they visualize “the cloud” almost like a foreign element that they see as a wild beast that is out of control. This has become more clearer to see when it comes to dealing with Federal customers and what has been roughly 10 years of conditioning within the IT Security space to physically control and secure assets. Looking at this and talking to customers and colleagues you quickly see that the common theme is lack of control that individuals feel they don’t have in the cloud versus inside a data center.
Many of you may view this as ignorance but as you start to approach the core of this issue you start realizing that the security industry in IT has set a precedence as it has evolved over the course of the last ten years. The evolution has forced companies and agencies alike to measure and baseline security standards against security regulations that align with common controls within data centers. This model is something tangible that leaders in every space can set objectives and measurements, that can provide roadmaps, hardening guidelines and standardizing around security that will meet compliance. Whereas the cloud, I have to take the word of a provider that these standards are in place and securing my data. “Inheritance” or “Shared responsibility”, who am I to inherit or share a responsibility to something I can’t control, touch or see? It’s a definite inverse to the pyramid that we have established in our industry around security controls. In the end its the data we want to protect, massive investments into people, places, and time spent.
My take away from this is simply to share my understanding of what these cloud providers do for you. Service Providers like AWS, Azure, Google and IBM SoftLayer have gone to great extents to secure facilities and ensure that data centers are secure and properly segmented. Did most of you know that the process to stand up a service provider data center is at par with military regulations for secure facilities? These service providers on average have at least 10 certifications that are provided by independent auditors to ensure they comply with appropriate security standards and regulations. Additionally these data centers are not publicly advertised from a geo location standpoint and are dispersed geographically to provide more resilience, keeping them away from the public eye and ensuring more privacy. From a security standpoint this is already an above average standard in comparison to government and commercial data centers. Then there's the other perks such as, energy savings, hardware savings, facility savings, and support savings. These guys do it all under one price and secure better than most. Having been part of a team who has delivered two Agency ATO’s to two separate agencies, I can tell you that this process minimizes risk to stakeholders and definitely provides a new layer of security which was absent or minimalistic in the past. It’s what we like to call “inherited control”, works done, works validated, and it’s ready to use, we inherit the ability to use it. To that point, I won’t claim that they are fortresses and nothing will happen, on the contrary there will likely be incidents. but I am confident telling you that there will be drastically less incidents and more efficient processes to prevent data loss. These processes will allow more traceability more insight and more control into your datacenter giving engineers and leaders manageability at the push of a button.