By Kurt Roemer
Chief Security Strategist
It used to be that the use of public and hybrid clouds for corporate security was strictly forbidden. Concerns over privacy, multi-tenancy of workloads, shared third-party administrative duties and control over data sovereignty dominated any discussion of using cloud in a security context. These were very contradictory interests… and a new IT oxymoron!
My how times have changed.
These days, moving sensitive apps and data to modern clouds often provides a needed boost to security. By leveraging strong physical security, rigorous processes for infrastructure management and transparency across operations, select cloud services are enabled to handle even Top Secret classified data.
The Positives and the Negatives
Before jumping into the clouds, though, there several positives and negatives that you should balance against the often competing agendas of security, productivity and cost:
- Positive – The use of cloud services can ease the burden of infrastructure management for an already stressed IT department, freeing up valuable human capital for more strategic (and more rewarding) work.
- Negative – Because clouds are easy to consume and purchase, users and whole business units can go “direct to cloud,” completely bypassing enterprise IT. IT can regain lost control by focusing on enhancing the user experience and automating mundane tasks through workflows, including access, usage, auditing and spending authorizations.
- Positive – To further increase the value enterprise IT brings to the cloud, password management and SSO (Single Sign On) can be integrated to unburden users from managing multiple accounts and access methods. You can combine contextual policies and enterprise multi-factor credentials to strengthen access governance and control lifecycle usage of apps and data.
- Negative – An “always-on” cloud is an expensive cloud. Predicting the need for workloads and having them running only when needed enables IT to partner with the business in managing costs across cloud services.
- Positive – Application and desktop virtualization can control usage of the cloud across diverse situations. Making access and transactional decisions utilizing the 5Ws of Access (who, what, when, where and why) prescribes and automates security when users work across different devices, locations and personas. Virtualization even provides control over the ability to cut/copy/paste/save/print and migrate data when using cloud apps, such as Microsoft O365, by publishing a specifically configured browser for each usage situation.
- Negative – Clouds relinquish some control over the timing and scope of change, which may not always coincide with the organization’s calendar and usage patterns.
- Positive – Cloud SLAs specify physical security, infrastructure patches, updates and application governance that can allow providers to increase service levels while decreasing costs. This has shown especially positive for disaster recovery and business resumption use cases, as well as peak and seasonal bursting of workloads to clouds.
- Negative – Cloud usage demands high-availability and robust connectivity. Services that are associated with immediate and possibly life-impacting use cases often require offline access; and this must be factored into every application decision, including the use of clouds. Having a hybrid and multi-cloud approach to availability automates access when individual services degrade or fail.
- Positive – The cloud can keep non-strategic traffic off of networks and endpoints. So when you publish a one-time-use browser hosted in the cloud and automatically redirect social media usage, arbitrary links in email and the opening of suspect files like external PDFs, you can keep potential internet garbage from trashing your organization.
Big Data and the Cloud
And finally, the promise of analytics will deliver even deeper insights into your business with warnings and guidance for both IT and line of business owners. Machine Learning will provide a view of what the new “normal” looks like and how this baseline changes over time. And Artificial Intelligence will increasingly help us answer the crucial questions we never thought to ask. Fortunately, the cloud is uniquely positioned to orchestrate the massive amounts of processing and data required for analytics and evolve our concept of the Future of Work.
To learn how to remove oxymorons from your IT department, contact Citrix@arrow.com.
For more insights and thoughts around enterprise and cloud security, view Citrix blogs on security and our Citrix security resources.
About Kurt Roemer
As Chief Security Strategist for Citrix, Kurt Roemer leads security, compliance, risk and privacy strategies for Citrix products. Kurt is a member of the Citrix CTO and Strategy Office, and he drives ideation, innovation and technical direction for products and solutions that advance business productivity while ensuring information governance. Kurt is an information services veteran with more than 30 years experience with credentials that include the Certified Information Systems Security Professional (CISSP) designation. He also served as Commissioner for the U.S. public-sector CLOUD2 initiative and led efforts to develop the PCI Security Standards Council Virtualization Guidance Information Supplement while serving on the Board of Advisors.
Last modified: May 3, 2019