Is your organization still pursuing a non-Cloud strategy? If I’d ask you why I bet you won’t be stuck for an answer. You or your CIO would tell me that Cloud Computing doesn’t meet your requirements in terms of security for example. It’s your valid decision and that’s fine by me. But may I ask another question? Do you apply exactly the same standards you used to define your Cloud investigation criteria for your current IT operational concept? Really?
So, let’s stick at security as I guess it’s one of your main concerns regarding Cloud. Usually, Cloud security concerns cover all aspects related to a Cloud Reference model. Mostly the Cloud Provider has to undertake that the IT Infrastructure is secure and that the tenants’ data are protected. In order to ensure this demand on security the Cloud Provider has to implement several defensive controls that detect and prevent attacks and also reduce the impact of attacks. It’s about reducing the overall attack surface and Cloud Providers need to be pretty good in this discipline – not least because they are constantly in the public eye. Cloud Providers who want to continue to exist have to face up to each security concern.
Now I ask you again. Does your traditional IT meet the same level of security that you have set to evaluate Cloud Computing or do you have double standards? I see, you have firewalls, backup, desaster recovery, antivirus, data encryption and so on – so why bother. I’ll tell you why bother. All these security thingies are firstly just tools and guidelines. But did you ever consider who operates this? Of course your IT department, or spin-off, maybe assisted by external workers. But do you really know what they do or do you rather implicitly trust them? In the latter case the IT department is in a blind spot from business perspective. Quite foggy, right? Fog… Cloud… Frankly speaking you should consider your IT department as a separate attack surface, perhaps it’s the weakest link in your security strategy.
First of all, in order to reduce this risk you should get in touch with your “IT crowd”, not just the CIO. Your business relies on these gals and guys. They are in a key position to proverbially shutdown your business. Listen to them carefully, be thankful and be willing to reward them. Maybe you’ll realize that you need a change in your organization’s culture if you will. Go ahead! Invoke a cultural movement driven by the management. At the end of the day it should be possible for any person to give any person a bit of one’s mind regardless of the hierarchy or command structure, because exactly the opposite leads to vulnerability. Think it over.
From a technical perspective, ironically, your IT department can benefit from the lessons learned in Cloud Computing. Here’s an example. Since this blog is mainly about Windows PowerShell I take the liberty and draw your attention to Just Enough Administration (JEA) (Download Whitepaper). It’s based on technology you should already have in place and helps your organization “reduce risk by restricting operators to only the access required to perform specific tasks”.
Frank Peter Schultze