Wavestone US
Wavestone US

Despite security concerns, the mass migration of IT services to the cloud will be an inevitable macro-trend.  The value proposition is just too compelling: cloud computing is evolving into a utility. 

If anything, the recent Edward Snowden saga only goes to show that regardless of tools, technology, policies and procedures, your security measures can only be as good as the people you employ to follow or enforce them.

So what message does that translate into for enterprises already worrying about security in the cloud?  Observations: 

  • Private clouds are not necessarily more secure then public clouds (i.e Amazon). Private clouds are only as secure as the people and processes supporting them.
  • A common approach to improving security is to virtualize security controls, but that in turn adds another layer of abstraction to a key component of the overall cloud environment.  More abstraction means less visibility.  Thus the underlying trust relationship with the provider is key.
  • Now that cloud providers have become responsible for much of the security apparatus, the cloud customers should take it upon themselves to check the qualifications of the cloud providers’ security personnel – their architects, coders, operators and policy makers.  The practice of “trust but verify” should apply both to the vendor’s people as well as their processes and technologies.
  • A key subset of the vendor’s personnel that demand scrutiny for security reasons are those with administrative access to the customer’s assets.  Cloud has introduced this new tier of privileged users whose oversight and even hiring should be monitored as if they were in-house personnel.
  • Another common approach to enhancing security is to ask the cloud provider to contribute more to security monitoring processes and making SIEM (Security Information and Event Management) data more available.  But that still means the customer should inquire about the provider’s handling of the logging and execution of their monitoring processes.
  • At the very front end of the provisioning process, risk prevention means careful screening of workloads before deciding whether they are appropriate for migration to the cloud (mission-critical or sensitive data workloads demand more isolation.)  But isolation can never substitute for people’s compliance.  So it still boils down to the people.
  • Finally, self-provisioning means governance and training are critical before the end users are empowered and set loose to decide for themselves or to gain access to the cloud.

While technology is a very important component, managing the people component is just as, if not more, vital to security.

To learn more about what Wavestone US can do for your company, visit http://www.wavestone.us/capabilities/.

Wavestone US

Our team is a blend of former C-suite executives and industry leaders, and high-quality talent at all levels who can tackle your most complex issues with a fresh approach. With a globally connected network of 3,000 employees, Wavestone US is designed to help you get results. All our consultants thrive on complex challenges, enjoy blazing new trails, and are committed to your organization’s success.

Cloud Rationalization for a Successful Migration

Sep 22, 2020

Here’s how to streamline your digital estate as you make your move to the cloud

Top Six Transition Risks in the Time of COVID-19 (and How to Overcome Them)

Sep 15, 2020

Get actionable insights based on our outsourcing advisory engagements in the first half of 2020

Have a Question? Just Ask


Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone