I’m the first to admit that I was slow to adopt the cloud; as someone who’s been in the industry for a long time, the risks just seemed to grow at the same pace as the technology itself. People say they understand the cloud now, but it means different things to different people. And it’s not just AWS, Azure, or Google. It could be Drive, Box, email, or a plethora of other things.
Up until just a few years ago, people tended to think about cloud infrastructure as either storage or server capacity — that was it. Now, the cloud is handling whole enterprise functions…cloud services and applications come in so many different forms that, as a security professional, it’s sobering to realize that the screens that IT just installed in my conference room are wirelessly enabled and present just as much of a threat as the data I just moved into cold storage with a cloud service provider (CSP).
And that brings me to the risks that this new technology brings. The reduced cost and scalability make the cloud a tactical choice, but the single largest risk is security. Cloud security simply hasn’t grown at the same rate as the cloud itself. With such a variety of cloud technologies that have been brought in to enable your business, do you really know who’s accessing it and how? How do you protect data across all of these places? What is happening to your data out there? How do you know that it all got deleted? What if you have to move to another CSP?
Likely because cloud technology has evolved so quickly, point solutions are still siloed to one environment. CSPs offer their own protection, but when you remove your data from their environment, it’s no longer protected or worse, unusable. CSPs give you the ability to have capacity that you don’t even know you need yet, but they are the least flexible if you need to move. Having a true infrastructure-agnostic platform is very important and almost nonexistent.
And let’s face it, those who run mission critical infrastructures know it’s important to maintain the ability to negotiate and upgrade to different providers: The more data you have on one provider, the harder your disaster recovery and business continuity becomes. Outages happen. Cloud adoption has grown so quickly that most organizations don’t just manage operations in one cloud; they have multiple providers for failover. That means that you need to have your data in both places. If you do that, how is your data consistently protected and accessed across those places?
As rapidly as cloud technology has been adopted, many organizations are unwilling or actually prevented by regulations from moving to the cloud. The risks are too great, which ties a slew of use cases to on-prem data centers. I plan to elaborate on the security risks of cloud adoption in my next post — we have to understand the root causes preventing both individuals and organizations from taking advantage of cloud technology — before I share my perspective on a potential solution.
Spoiler alert: From the perspective of Ionic, the data is the data to us. We don’t care about the provider it runs on, and you shouldn’t either.
Ken Silva is VP of operations and infrastructure for Ionic. Prior to joining Ionic in 2014, Ken was the SVP of cyber strategy at ManTech, and prior to that he was the senior executive advisor on Cyber Technologies at Booz Allen Hamilton.
From 2000 to 2010, Ken held multiple leadership positions at VeriSign, such as chief security officer and chief technology officer. Prior to joining the private sector, Ken spent 20 years in the Air Force and the NSA in multiple technical and senior analyst positions.