Cloud may now seem like part of the furniture in many parts of end users' IT estates, but there are still misconceptions and misnomers that often obstruct channel players that deliver security from the cloud. We put five of the biggest to the test.
Credit: j_ridley2000/CC BY-SA 2.0
Nowadays, cloud computing's adopters and advocates include governments and the world's biggest businesses, and the technology is also routinely and happily used by consumers in their daily lives.
It is tempting to believe that cloud has definitively won both the territorial and ideological battles that, just a few years ago, still raged fiercely.
But the truth is that doubts and misconceptions persist - nowhere more so than in the security space, where some familiar stumbling blocks to cloud remain in place.
Most companies now think nothing of moving their most widely used commodity productivity and communications tools into the cloud. However, when it comes to deploying technology to protect their organisation from the ever-growing array of threats they face each day, many enterprises still baulk at the idea of using a cloud-based solution.
The reasons for such reticence will be familiar to many -- they are exactly the same arguments that, when applied to other parts of an end user's IT estate, cloud providers have already succeeded in taking apart.
They are, essentially, myths. And all myths can be successfully busted if they are brought out into the light and subjected to a little scrutiny.
So, let's don our hard hats and goggles and put to the test the five biggest myths that still dog the cloud security space.
1. Making the switch is complex
Many end users are put off by the misconception that adopting cloud security is inherently more complicated than keeping everything on-premise - particularly if they are moving towards a hybrid environment. The assumption is that melding two different styles of provision must, necessarily, be a trickier proposition than sticking with legacy across the board.
The truth is that customer IT environments have never been anything other than a challenging mix of different technologies - which is why they have always required the expertise of vendor-neutral integrators. Those integrators can stitch cloud into the mix of their client's security estate just as seamlessly as they have been doing with competing manufacturers' software and hardware for decades.
Richard Archdeacon, advisory chief information security officer (CISO) at unified-access security specialist Duo Security, has this advice: "The first step is to clearly map out what services are provided by the cloud provider and relate them back to your overall security capability. This will not only ensure that there are no gaps, but will start to identify where any links need to be built, such as the provision of logs for monitoring or forensic analysis."
2. It's all or nothing
The initial cloud marketing missionary zeal purported the idea that ‘going cloud' required a completely new belief system and way of life - not to mention a total renunciation of their legacy sins of the past.
There is now more than enough evidence to demonstrate that cloud can be implemented gradually and pragmatically. Many begin their journey towards the cloud with core commodity applications offering productivity or communications tools. Some stop there, others travel much further, and a very few go all the way to what one big-name cloud vendor once termed "100% web."
Cloud security can be a starting point, a staging post, or a final destination.
3. It will cost more in the end
Cloud security - and, indeed, all forms of cloud computing - often suffer from the preconception that paying for something upfront will be a better deal than doing so in stages.
But in the case of IT, opting for the initial expense of on-premise technology is not simply a case of finding the money for a one-off payment - whereas cloud could deliver unexpected advantages.
"Perhaps the greatest benefit is time to deployment and usage," said Archdeacon. "The relative speed with which a solution can be implemented, and the enterprise risk reduced, will be an important decision factor for any CISO."
Legacy technology, meanwhile, requires significant additional resources - both time and money - to be dedicated to installation and integration. And, even when the kit has been deployed, there is the ongoing cost of maintenance. The need to keep pace with the upgrade cycles that roll around every few years is especially important in the security space where defences need to move and evolve in line with a constantly shifting threat landscape.
4. You have to relinquish control
Many IT decision makers persist in a belief that moving from on-premise to cloud security means giving up control and allowing an unseen external party to take the reins.
But cloud actually offers a greater level of autonomy than on-premise security ever has.
Companies that use cloud solutions can scale them up and down as required, as well as adding new services and tools along the way - which could be crucial when the threats they face are constantly moving, changing, growing, and multiplying. This is in stark contrast to the legacy world, in which customers are likely to be constrained by upfront cost commitments and inflexible long-term licensing contracts.
Working with a cloud provider can also allow internal security teams to operate much more strategically.
Archdeacon said: "I remember speaking to one CIO who had been asked if they feared losing control. The response was simple: the service offered by the cloud provider was more comprehensive and consistent than they could achieve with an overstretched security team. This meant that the scarce resources could now be deployed on understanding the security business requirement more fully, and thus providing much better security than before."
5. It's just not safe
Perhaps the most damaging misconception about cloud security is that it is not as safe as its on-premise counterpart.
For some, the idea seems to be that IT security is a bit like a bodyguard - who, to fulfil their duties, need to be located right alongside the person or place they are protecting.
But simply keeping something close at hand does not mean it is any safer. Locking something up in your shed is, on balance, probably not quite as secure as stowing it away in a bank vault.
Most organisations in the public and private sector only have a couple of in-house IT security experts - at most. Entrusting those few, overworked employees with sole responsibility for protecting vast amounts of sensitive data across the entire organisation is a tall order.
Cloud security, on the other hand, is built, provided, and managed by dedicated experts from companies who specialise in nothing but protecting people's assets.
Which model would you trust - or are you already delivering security from the cloud? Join Duo at their EMEA Partner Kick-Off on Thursday 20 September and find out more about unified-access security delivered from the cloud.
Click here to join Duo at their partner kick off.