The real holdup preventing companies from moving to the cloud isn’t control of servers or data centers: Security is the barrier. There are just too many documented cases of buckets breached and insiders moving data quickly. These concerns have been a drag on the growth of the cloud space, particularly when you look at regulated companies.
In my last post, I looked at the risks that crop up when technology evolves so rapidly. Hearkening back to the early 2000s, the enterprise space was growing fast, from firewall vendors to intrusion detection. It was all stuff people ran in the enterprise until managed security solution providers (MSSPs) began offering next-generation solutions. Even back then, the cost benefits were clear, but it was so difficult to get people to migrate. CIOs would promote using MSSPs as a cost saver, but their teams pushed back because of the risk.
I was one of those who pushed back, because you are literally handing the keys to someone else. Having lived through the advent of the cloud…I can tell you that in my own thinking, selfishly, there was absolutely an ownership issue. If you’re making me ultimately responsible for the security of an entire enterprise, then I want to own it. Everything. Soup to nuts.
I have built my own data centers and managed my own servers. I controlled everything: the racks, the power, the cooling, the staff…everything. And I will tell you that the obstacles to growth are too numerous to list. When you max capacity in a data center, that means tens of millions of dollars for a new site. That’s the way I was brought up in the industry, but the paradigm has shifted.
Ironically, the thing you fear the most is the thing you should fear the least.
Cloud service providers (CSPs) like AWS, Azure, and Google Cloud have invested more in the security of infrastructure than you or I ever will. Would I have ever built a data center that could house two million servers? Hell yeah, I would have loved to, but my board wouldn’t let me. The biggest players have invested in security — particularly physical and infrastructure security — in ways that another company could never do, and that’s when I started to take a deep breath.
That said, technology advances faster than our thinking about it, and the shared responsibility model still gives me cause for concern, because I’m putting all my risk in your hands. As I’ve mentioned, this is not necessarily a bad thing — CSPs do a lot of this better than I do — but similar to the advent of MSSPs, how do I know that you can’t look at my data? Several decades later, there are still security teams who don’t want to lose control.
And with good reason. Insider threats like Edward Snowden and Paige Thompson used their inside knowledge to exfiltrate data. Regulations like GDPR mean I have to have complete control of where data is replicated. Financial services companies consider metadata to be data, which means I can’t replicate the metadata to unauthorized locations; even keys can’t be stored outside of the EU for personal data.
We have to evolve our paradigms to match the progress of technology. This means how we think about security. The perimeter mindset of building big fences with alligators and heavily guarded bridges…that methodology worked before the advent of cloud, but now, bits are flying everywhere. However much we try to control where the data is going, it’s still accessed from a myriad of locations, across multiple data centers, and through hands that could mean us harm.
We also have to evolve the way we think about security solutions. Is it more important to account for where data is, or who can handle it? The cloud started out as quick, easy, and cost-effective, but now we’re seeing the rise of technology that makes it secure and auditable. That’s what makes what we do at Ionic so important to folks like me; very few companies can offer the same assurances we do. In my next post, I’ll dig further into these assurances and why they’re so important to accelerating cloud adoption and innovation.
Ken Silva is VP of operations and infrastructure for Ionic. Prior to joining Ionic in 2014, Ken was the SVP of cyber strategy at ManTech, and prior to that he was the senior executive advisor on Cyber Technologies at Booz Allen Hamilton.
From 2000 to 2010, Ken held multiple leadership positions at VeriSign, such as chief security officer and chief technology officer. Prior to joining the private sector, Ken spent 20 years in the Air Force and the NSA in multiple technical and senior analyst positions.