'But is it secure?' is invariably the first question I'm asked by CISOs in relation to cloud solutions and services.
Organisations new to the cloud say security is their number one concern, and many perceive it as a significant barrier to adoption.
While that's a valid concern, it's impossible to answer this question as simply as it can be asked. A bit like asking a car salesman 'is this car safe?', the answer is dependent on numerous design decisions and a process of balancing performance, security and structure; a car designed for the race track is perhaps not going to be as safe as a car designed for the school run.
In the same way, different types of cloud solutions have different characteristics and requirements: notably interoperability, data security, governance and cost. Processing sensitive or business-critical data outside the enterprise introduces a level of risk because any outsourced service bypasses an organisation's in-house security controls and puts security into the hands of a third party – while retaining internal responsibility over that data's integrity.
At the same time, a cloud's characteristics can make it even more secure than traditionally implemented solutions.
In terms of bullet-proof security, a private cloud that is tailored to a single organisation and hosted on an accredited secure server with robust administrator control and supervision cannot be beaten.
However, the need for a dedicated infrastructure sees this method attract a significantly higher cost than other models and lacks the flexibility and economy of scalability that attracts organisations to the public cloud.
Returning briefly to our car analogy, while a rally driver may need a fast car to win races, it's unlikely he'll take his children to school in the morning using the same vehicle. Being able to choose different cloud models to perform different roles is paramount to ensuring that when a CEO asks 'but is it secure?', the answer can be 'yes, it is secure enough'.
This is where the hybrid cloud comes in: it is a composition of cloud models (private, community or public) offering the benefits of multiple deployment models. As a simple example of hybrid's use, a government organisation's email systems are unlikely to be hosted anywhere other than a highly secure private cloud, but that organisation's public-facing website containing non-sensitive information can be hosted cost-effectively on a public cloud server.
As with most forms of information security, the decisions that need to be made here boil down to effective risk management; and the type of cloud chosen has the biggest single impact on the level of risk and its manageability.
CISOs must assess the importance of the data they intend to move to the cloud, compartmentalising their cloud infrastructure and applications to apply the right controls in the right places and help contain the impact of possible security incidents.
However, the hybrid cloud's most impressive benefits come from the seamless linking of different models through sophisticated orchestration of cloud provisioning, management and integration. For example, organisations using largely private cloud services can 'burst' non-sensitive processing workloads to a public cloud to meet peak or highly elastic workloads. Or, they can split a workload across a global public cloud and a country-specific public cloud, depending on which elements of an application are publicly facing or involve the processing of customer data.
In future, we may even have models in which the cloud applications themselves are provided with individual embedded security policies, enabling the tracking of data across cloud software components. By understanding which components are exposed to sensitive data in a multi-tenanted hybrid cloud environment, the application can constrain and potentially avoid security problems by isolating those components.
Even the most apprehensive users of the hybrid cloud have found that this model offers an unexpected level of flexibility in balancing cost, performance and security. Through careful risk management in terms of where data is placed, security is no longer a source of worry or apprehension; it has simply become another consideration in their risk management strategies and processes.
Their experience informs future decisions about moving other services into (or sourcing them from) cloud environments, in turn helping them make ever further strides along their cloud path.
David Robinson is chief security officer at Fujitsu UK and Ireland