First, cloud security is almost exactly like your internal security. The security tools you use every day are the same tools that will be used to protect your data in the cloud. The one difference is that the cloud is a multi-tenant environment with more than one company sharing the same cloud service provider.
'Any organization that says it has never had a security incident or data leak is being deceptive or is unaware of the incidents that it has had.'
Second, security issues involving the cloud can all be addressed using your current security tools. Security needs should be carefully considered. But they shouldn't be viewed as a hindrance if you are considering a move to the cloud. The commodity nature of IT will, over time, require that you move some of your technologies to the cloud to remain financially competitive. So you should begin addressing your security issues now and get ready for the move.
Third, if you select a quality cloud services provider, your security in the cloud will be as good as, or better, than your current security in most cases. Typically, the level of security you get will be designed to meet the needs of the most risky client in the cloud.
IT: Internal or External?
Before addressing the issue of security in the cloud, it may help to address another question first. And that question is not whether to move IT into the cloud, but what should move there. Consider commodities, for example. When businesses started taking advantage of IT, the first organizations to computerize their business processes had significant gains over their competitors. As the IT field matured, the initial competitive benefits of computerization fell. Computerization then became a requirement just to stay on a level playing field. In essence, there is an increasing amount of IT that operates as a commodity.
For example, a paper products company needs a certain amount of unique IT to run its business and make it competitive. But it also runs a huge amount of commodity IT. The commodity technology takes time, money, people and energy away from their business of producing quality paper products at a competitive price. Cloud computing allows companies to offload these commodity technologies and free up resources and time to focus on the core business.
To help you determine what parts of your IT can be moved externally, your first tool is the commodity IT analysis form. This can help you list out all of the functions that your IT organization performs and determine if you think this activity is a commodity or not. Using the fictional paper products producer as an example, eight current IT functions could be considered commodities. Of those, six of them could easily be moved to a cloud provider.
Internal IT Security
The greatest challenge internal IT faces is a perception by some that it no longer helps businesses differentiate themselves from competitors. This devaluing of IT means that many organizations fail to adequately fund required budgets to operate a first-class IT infrastructure. Add to this the increasing number of security mandates from external and internal sources, and IT can't always fund and operate the in the manner required.
The next problem involves specialization and its effect on business function. Businesses exist as specialized entities. An automotive manufacturer, for example, avoids starting a food production business even though it could feed its employees. Why? For an automotive company, producing food products is not the core business. When you look at funding and maintaining a non-core part of the business, it becomes apparent why IT faces a problem.
For the automotive manufacturer, it is unlikely that its IT department will be as successful as its manufacturing business because it is not its core business. Conversely, a business that has IT as its only product line, or service, should be more successful at providing first-class IT. So, if an automobile manufacturing company is not going to operate a best-in-class IT business, why would we expect its security to be as good as the best-in-class IT company? A company that does IT as its business has a much better chance of securing your data. The quality of its product, and its market success, stands on the effectiveness of its security.