Online security is a business issue not a technical says expert
Tue 8 Apr 2014
Cloud can be secure but companies should compare internal and external IT security before opting for the cloud.
This is the message from CapGemini’s information security expert, Lee Newcombe speaking at Cloud Expo Europe 2014. He said cloud computing can be more secure than companies’ internal IT, with the right safeguards in place. “Does cloud has to be less secure than my datacentre? No. This is often based on assumption it’s better when we do things ourselves,” he said.
Instead, cloud can equal, or better, firms’ internal IT security. Cloud providers have the scale to use the latest defensive technologies and to employ the best experts.
As cloud services are designed from the ground up for “multi-tenant” access by any number of businesses – rather than being built just for one – security should be designed in from the outset. And cloud providers should ensure that defences are kept up to date.
But, he warns, the threat can change. The security issues around a shared, online service are not the same as those affecting traditional, in house IT.
“Are people using cloud less trustworthy? No,” said Newcombe. “But you are sharing pieces of tin.” That can cause issues if another customer’s workload causes technical problems, attracts hactivists, or even, is shut down by law enforcement.
One way to guard against such problems is to pay close attention to contracts for cloud computing services.
“You should negotiate security into cloud services – but you won’t be able negotiate the largest ones,” said Newcombe. You may have to go down road of private cloud. This will cost more but at least you have the choice on how much to spend on security.”
But companies should also look at what the marketplace has to offer on security, and decide whether this is sufficient for their needs – or could be made sufficient, with the right internal safeguards.
“You may get services that are good enough. But you may not get one hundred per cent of the security you want. That might mean reduced security and a residual risk, which you have to sign off.”
“Security is not a technical issue, it is a business issue.”