While there's a low barrier of entry to the public cloud -- after all, you really just need a credit card -- securely...
running an enterprise application in the cloud isn't as simple. Organizations need to understand the division of responsibilities for security as well as the security requirements unique to a cloud deployment.
A reasonable question, then, is do you handle cloud data security yourself or hire a third party? The answer: That depends.
For organizations that have always deployed applications in-house and are new to Infrastructure as a Service (IaaS), "there is some knowledge about how to use that service that will be new to those folks," said Thomas Trappler, a consultant and instructor who specializes in mitigating cloud computing risk.
The cloud learning curve
For example, it's not uncommon for companies to wish to integrate cloud-based applications with on-premises systems. "Some stuff will probably stay in-house that needs to communicate with the portions that are in the cloud. It's possible that companies will need some expertise to make the cloud work with in-house systems," Trappler said. But he added that whether businesses will actually have the resources to acquire those skills is "a question mark."
The cloud broker can be an intermediary to help you achieve customized contract requirements, financial requirements and compliance requirements.
Cloud Security Alliance
Nikita Reva, manager of information security and risk assurance for PricewaterhouseCoopers LLP, agreed. "There's a technology learning curve, and the big problem is the lack of cloud security skills," Reva said. "The industry is forming new certification and training facilities because the world is progressing toward cloud, and there aren't enough people who really understand cloud security."
That situation has limited cloud success, he continued. "Customers are walking away from cloud because they don't have a grasp on how to secure the infrastructure, and they don't have the people and they can't afford the consultants. Their own people can't get up to speed fast enough."
IaaS providers don't necessarily make the situation any better. Each accepts different levels of responsibility for cloud data security and provides different resources for customers to understand their roles.
For example, Reva said, Amazon gives customers strong documentation and a good baseline. "If a customer is relatively technical, they should be able to consume the document and configure instances based on the documentation, but it is a bit overwhelming," he said. "There's a lot of documentation. They've done a wonderful job compared to others, but it's hundreds of pages and overwhelming to those without experience." Meanwhile, he added, "The other providers are not as transparent. You need more technical knowledge, and you need to do more discovery work."
The role of the cloud broker
For organizations that can afford them, cloud brokers or consultants "can help you get up and running in a cloud service from a technical perspective," Trappler said.
Cloud brokers serve many different functions. "All brokers aren't alike, and there are different layers of capabilities that they have," said Jim Reavis, executive director of the Cloud Security Alliance, an organization that promotes best practices and training to improve cloud security. Cloud brokering is "an emerging field," he said. "It's evolving, but to me it's a combination of technology middleware as well as an evolution of that systems integrator business model that gets combined together to provide you with the business and technology solutions that you need."
Cloud brokers "provide a technical layer of abstraction to help you simplify the management of a lot of virtual machines and potentially do a lot of the security management and compartmentalize the different systems, making sure they are all using a common security profile," he said.
In addition, as the "next generation of systems integrators," cloud brokers may also manage customer contracts while providing other layers of business and compliance assurance, Reavis said. "A very large cloud provider is often not going to customize the [service-level agreement] and things like that. The cloud broker can be an intermediary to help you achieve customized contract requirements, financial requirements, compliance requirements. They, in turn, will potentially manage more of the technical cloud brokering as well," he said.
A cloud broker or consultant may be able to help you secure your enterprise applications running in a public cloud, but first you have to find one. "It is a challenge because some people view [cloud brokering] as being a technology piece only. You have to ask the right questions, and they may not be putting out a sign that says 'I am a cloud broker,'" Reavis said. "The resellers or consultants that say they will help you manage your cloud relationships or that provide more of a technical solution to will help you manage your cloud infrastructure typically fall into that broker space."