I recently sat on a panel discussing security in the cloud for the Queensland state government. The audience was a mix of IT managers, Information officers and vendor/procurement managers. The Queensland government in Australia is leading the way with a cloud first approach, and in the lead-up to our hosting the G20 summit in November, security and IT systems are a hot topic.
The question was posed to the panel: “Whose responsibility is security in the public cloud?” I jumped in with the first response and immediately took the operational viewpoint, espousing the virtues of the shared responsibility model (we cover this in a few different cloud posts on this blog). However, in short, when using IaaS, the cloud service provider sets up a secure infrastructure, and you as the IT manager are responsible for the applications, data, operating system and access privileges, etc.
In this way, some of the day-to-day responsibility is shifted from your shoulders and onto the service provider; removing the undifferentiated heavy lifting from your operations team can lead to more productive use of your time and resources.
However, I was quickly reminded by a fellow panelist, himself the director of technology and infrastructure at a government department, that as far as the government (and a corporation for that matter) is concerned, the responsibility for ensuring their systems and data are secure is still 100 percent his. After all, if something goes wrong and a system is hacked, if PII is lost, if a site is defaced or a service is offline then it’s his neck on the chopping block – that part is not a shared responsibility.
I thought to myself, “my gosh, he’s right!” Far too often, we get bogged down in the day-to-day operations of security, and we miss the opportunity to step back and see the bigger picture. The decision to move assets and systems into the cloud is one facing many business owners and infrastructure owners today, and it’s their job on the line if something goes wrong. They need to be certain they can trust the systems and tools they choose.
Luckily, for those facing the decision, there are plenty of resources to help you feel more comfortable. You can start with the security information from leading IaaS providers like:
Amazon Web Services (AWS) – Security Center http://aws.amazon.com/security/
Microsoft Azure – Trust Centre http://azure.microsoft.com/en-us/support/trust-center/
… and then move on to the array of tools on the market that can help you take control of the operational aspects on your side of the shared responsibility ledger. Finally, you can talk to your peers and your IT partners – there are plenty who have already made the transition and have done so securely and successfully.
Trend Micro provides software and services that help you protect your valuable data and systems in the cloud, and the cloud service provider can provide secure infrastructure that you build upon. But at the end of the day, it’s important for us all to remember that it’s your job to oversee your IT infrastructure and to choose the right partners, procedures and tools to meet your objectives.
Whenever you’re ready to make the move to the cloud, we’ll be ready to help.