September 16, 2015
Centralizing and delegating control of your mission critical systems and data out of the office and into the cloud is something that would make any business cringe. We understand that and have learned this first hand when building cloud services. Security has been proven to be an area that has become a constant challenge for cloud and data services providers to tackle. This goes beyond the security software or firewall plat du jour. Some of the more critical security aspects are: consistency, enforcement, education, and exercising choice.
The end user is often just told to “trust.”Trust that their cloud environment is safe, trust that it is private, and trust that their infrastructure is being maintained. To make things worse, the parts of what makes up a larger cloud are also often opaque (or “cloudy”) – again, end users are just told to trust that it just works. So, consistency is a concern.
There are also a lot of potential weak points in processes, people and parts (that “3P” approach) that can be exploited. As a result, software and hardware, physical security systems and counter measures aren’t the only concerns. Process gaps are also big concerns. And people tend to be some of the biggest weak points. Solid processes and systems can be completely nullified by human negligence or malice.
Compounding this all is a lack of well accepted standards and governance that creates a disincentive for non-compliance.
In other words, there is no punishing the non-compliant.We have the likes of ISO and SOC standards but the audit process and governance standards are not on par with the threats, nor do they thoroughly assess the systems on the whole.
Today, anyone can call themselves a cloud provider, and it’s so shockingly easy to integrate into other clouds to make bigger and “better” types of clouds.
The more connections, the greater the liability.But, bigger can be more unwieldy. To protect end users best interests, they must ask tough questions to easily recognize the cloud providers that do not comply. Otherwise the alternative is to simply take what’s given and put your business in jeopardy.
The benefits of the end user service often make end users overlook the need to ask hard questions and educate themselves. Our own clients are regularly encouraged to do this as well. Security by obscurity isn’t effective. Any provider should let you know their security posture and how they think and link.
If this sounds bleak, you’re right — in a way it is. Just look at the close analog issue of privacy. Why is enforcing privacy standards hard? It also takes consumers to put their foot down and force our industry to change.
Sometimes it’s better to stay simple, transparent, and smaller.
About the Author
Akshay Kalle is the CTO for the Pathway Group of Companies (pathcom.com), tasked with leading its infrastructure growth and innovation efforts. An “intrepreneur” at heart, he is a specialist in machine learning and big data and directs the firm’s innovation lab. A holder of multiple graduate degrees in computer science and mathematics, Akshay has carved out a name for himself in the area of applied machine learning. His accomplishments have included AI-driven email filters, smart OSS and monitoring systems, and predictive analytics tools used for finance and personal health, used by large carriers and international Fortune 500 firms. A second generation businessman, he aims to uphold Pathway’s brand virtues of ethical conduct, openness and relevance. When he’s not working, Akshay can be seen running, even when it’s -20 outside. Akshay can be reached at akshay.kalle [at] pathcom [dot]com.
Share this post on…