Cloud Security: 7 Dealbreakers for the Enterprise CSO

Security concerns, according to a 2013 survey by 451 Research, remain the most significant pain point for cloud implementations, cited by 30% of respondents – 12 percentage points ahead of the next most cited concern.

If the Cloud remains misty to CSOs tasked with maintaining predictability and minimizing exposure, it poses a significant and sometimes intolerable business risk. What they need to realize is that the Enterprise Cloud, when it lives in a manufactured, modular, standardized software-defined data center (SDDC), can be more secure, predictable and safe than the cardboard-boxapproach. According to Forrester analyst James Staten, “If you’re resisting the cloud because of security concerns, you’re running out of excuses.”

Many CSOs see themselves in the backseat of Cloud migrations, which often are viewed as a CIO-driven effort to avoid capital expenses associated with increased IT capacity. But in fact, the CSO stands to substantially improve predictability and mitigate risk if the Enterprise Cloud  is specifically engineered to address the visibility, control, and privacy requirements of large, sophisticated consumers of data center capacity. To realize that, the CSO must make certain demands of the Enterprise Cloud. Here are seven that should be considered table stakes:

CSO Dealbreakers: 7 requirements to insist upon in Enterprise Cloud  1.      Demand that the Enterprise Cloud live in a software-defined data center – Enterprise Cloud must offer the ability to deploy globally, within world-class, 100% available and concurrently maintainable site infrastructure. For some enterprises, security regulations mandate that data be kept on the organization’s physical premises. However, that need not eliminate Cloud as an option. The modular software-defined data center platform, for example, can be deployed on premise, behind the company’s firewalls, reducing exposure to security threats and ensuring audit compliance. 

 2.      Demand compliance with government, industry, and internal regulations – Enterprise Cloud can, and should, be configurable to govern access to compute, storage, and network resources based on corporate rules and policies. In other words, security requirements for Enterprise Cloud are not one-size-fits-all; each enterprise can define its own access rules. If access to the company’s ERP system hosted on internal servers is limited to finance managers above a certain level, access to the system in the Cloud can be restricted in the same way. When Cloud governance is configurable, it can be made compliant with the needs of the enterprise, even those in the most highly regulated industries.

 3.      Demand certified, secure infrastructure – When it comes to compliance, where the Cloud lives matters. To achieve the promise of predictability and risk mitigation, Enterprise Cloud must live within manufactured, standardized software-defined data center infrastructure that is Underwriters Laboratories-listed, concurrently maintainable, and PCI-compliant The data center must have a converged security platform that provides security at the physical infrastructure layer and the logical layer.

4.      Demand protection of physical/virtual environments and organizational IP from exploitation, disruption, destruction, and theft – Cyber threats are increasingly sophisticated and increasingly destructive. There are three categories of threat: exploitation, disruption, and destruction. Threats to enterprise IT can be both physical and logical. An SDDC should enable the implementation of enterprise business and policy rules that ensure greatest protection for the highest value assets a company owns, as well as proper logical/physical attribution of those assets anywhere, anytime. If the Cloud is hosted in a provider’s data center, enterprises should be able to choose their own module, which provides an additional layer of physical separation from other customers and dedicated environmental subsystems. In addition, because each module can run a separate application environment, enterprises can compartmentalize users, departments, and applications and configure security and resiliency accordingly.

5.      Demand open architecture – The secure Enterprise Cloud should be based on an open reference architecture that is vanity-free, designed for scale, highly-efficient, and low cost. Open architecture mitigates the risk that the enterprise will get locked into expensive proprietary infrastructure that reduces predictability by keeping the manufacturer in control. Furthermore, the cost-effectiveness of open Cloud architecture enables the enterprise to deploy dollars to security and other strategic investments.

6.      Demand full global visibility and control –Full monitoring and visibility into physical and virtual components across internal and external environments – globally, is a necessity. The enterprise should be able to drill down to a particular data center and instantly identify where an issue may exist. Furthermore, IT should also be able to automate the migration of workloads from one environment to another based on defined thresholds. With the Enterprise Cloud, data can be more visible and responsive – hence more secure – than traditional servers residing in the enterprise’s own building.

7.      Demands data sovereignty support–For multinational enterprises and their complex data management ecosystem with constituents at every layer of the stack, data sovereignty and custody can pose a challenge, given that third-party data center and Cloud providers in other countries, particularly emerging markets, may have yet to develop the level of security of U.S. and European providers. What the enterprise needs is the ability to manage globally distributed IT resources through a single operating system that pinpoints what/where application workloads are being run, and by whom – down to the rack within the data center – and enables redeployment to comply with changing sovereignty requirements. 

Indeed, CSOs are required to be vigilant about the security implications of migrating to the Cloud. But rather than exacerbating security risks, Enterprise Cloud actually enables greater security by starting from a secure, software-defined data center.  It is upon the CSO to demand that these seven requirements of the Enterprise Cloud are met. 

Adil Attlassy, Executive Leader – Global Services, IO