By Larry Biagini, Chief technology evangelist at Zscaler

Cloud-centric computing is inevitable, so you need to face your concerns and be realistic about risks.

After more than 35 years running IT for large enterprises, I’ve lived through various IT technology shifts: mainframe, client/server, RISC, CISC, etc. But early on in the development of the cloud, I recognised that the shift to becoming a cloud-enabled business is different.

In enterprise IT, cloud security remains a topic of contention. Many IT and security leaders fear that a move to the cloud could cause problems, such as losing control of sensitive data. While concerns about risk are understandable and need to be addressed, they’re often misplaced.

It’s time businesses are honest with themselves about in-house capabilities before dismissing security in the cloud. Traditional enterprise security is based on perimeter controls — a model that was designed for a world where all data, users, devices, and applications operated within the perimeter and within the security controls. But as today’s users blur the lines between activity inside and outside the perimeter, that model falls short because the perimeter is too big. I’d even say that in any mid- to large-size enterprise, there are more devices, users, and entry/exit points than the company knows about.

Cloud-centric computing is inevitable because of the network, not your network, is just a conduit to allow access from trusted requestors to trusted resources. You will provide resources to those that you trust, when they need them and where they need them. The perimeter that will need protecting will be very small and contain services and properties that are critical to your business but not users. Users consume resources but are never on the cloud provider’s core network. If they were, their perimeter could not be protected. As you evaluate security in the cloud, be realistic about the risks because deferring the transition to cloud services is itself a risky proposition.

Businesses already rely on the cloud


What kinds of companies are leveraging the cloud today? Yours, for one. Even if you don’t officially sanction any cloud services or applications, your employees are using them. So are your customers, suppliers, and business partners. Services that support file sharing, online collaboration, storage, and other daily activities are all hosted in the cloud. There’s no getting around the fact that data is already being generated and shared there; business transactions are also happening, and new business models are emerging.

The primary drivers for cloud adoption are speed, agility, and cost containment. For me, speed is the new currency. Business won’t wait for anyone or anything, and IT is no exception. Because of lingering security concerns around control and reconfiguration, many businesses still rely on the private cloud model or use a hybrid approach that retains mission-critical data and applications on-premises. This is necessary in some cases, but not in most. If you allow the some to become the all, you’ll be missing the train, and your business will leave the station without you. For many, it already has.

Cloud security providers are similarly able to identify and patch threatsClick To Tweet

In the cloud, software providers can immediately update or upgrade customers. Cloud security providers are similarly able to identify and patch threats and vulnerabilities across thousands of companies at record speed, thanks to the benefit of multitenant cloud architectures.

Financial institutions, for example, will want to maintain their “crown jewel” applications in their own data centre, but when it comes to new applications, building infrastructure to maintain a Web application or mobile application simply makes no sense. Companies such as Betterment and Kabbage are using financial technology to push the limits on traditional banking, leveraging a user interface that appeals to the customer and allows those businesses to operate without the huge infrastructure of traditional finance organisations.

Plan for the journey


As you begin your journey, enlist the help of public cloud and software-as-a-service providers. Learn how they think and operate. Check the “us vs them” attitude at the door and be realistic about your capabilities. Their reputations rely on their ability to execute and to do it securely. There’s a reason the National Security Agency, for example, turned to Amazon Web Services to build the NSA cloud — instead of attempting it on its own.

It’s OK to learn as you go. Many organisations have approached the move to the cloud as they would any major IT transition. They analysed it and tried to glean as much as they could about the cloud and how it’s provisioned, managed, and secured. That’s not all bad, but the traditional vetting and risk processes slowed them down. Ultimately, the lesson learned has been: just do it. Don’t let outdated notions around security stand in your way to modernise.

So, start with taking your low-risk apps — you probably have hundreds — into the cloud. As you take that first step, you’ll begin to see dividends in production, efficiency, and cost, and they will only increase over time.

The cloud makes you more secure


Once you get past the initial holdups, the cloud opens a massive opportunity to keep your users, applications, and data safe, thanks to the benefits of shared threat protection. You will need to hire talent that eats, sleeps, and breathes cloud to supplement your current workforce, but you will no longer be locked in competition for infrastructure, networking, and security talent with the likes of Amazon, Microsoft, or Google.

You don’t have to make the entire jump at once. You can merge cloud services and applications into your existing infrastructure, chipping away at the legacy stack a little at a time. Trust those who understand the cloud, and hire people who know how to secure and take advantage of it; a few key people can have a multiplier effect. Just ensure that they are apprised of the future strategy of your business — it’s a joint growing process. In the end, it’s all about trust.