What do Virtualization and Cloud executives think about 2012? Find out in this VMblog.com series exclusive.

Two Predictions for Cloud Security in 2012

Contributed Article by Dave Meizlik, VP of Marketing and Business Development, Dome9

2011 saw tremendous growth in the cloud. For providers and customers alike, cloud is the new frontier of IT, and although we may struggle to efficiently manage and secure it, there’s no doubt that it’s revolutionizing the architecture of today’s enterprise.

As we look ahead to 2012, cloud adoption will rise significantly as innovators deliver countless new services and the enterprise migrates core infrastructure.  As they do, here are a few security-related predictions that should be considered for the next year:

Cloud service providers will add security services to their portfolio

Look at any poll or ask any customers and the finding is always the same: Security is the number one inhibitor to cloud adoption.  Cloud service providers know this all too well, and have done a great job at securing their infrastructures.  But that’s not enough – cloud adopters don’t just want to know the infrastructure is secure… they also want help securing their use of it.  I think of it like this: Volvo invests a lot to make sure its vehicles are safe, but Volvo can’t stop someone from driving them in an unsafe manner.  The same is true with the cloud, except that the provider never relinquishes ownership of the asset, and so the line for responsibility is blurred and customers have a heightened expectation for provider-led security.

In a recent survey by the Ponemon Institute on cloud security, 39% of IT security personnel said that they thought the cloud provider would inform them if their cloud servers were hacked.  We call those folks wishful thinkers.  Perhaps even more concerning, 42% said they wouldn’t know if their cloud server was hacked, and of those that know, 19% said they already have been.  So here we have a big gap in cloud security, a high expectation that service providers are responsible, and this issue is the top inhibitor to customer adoption.  It all adds up to one thing: service providers will offer more security services to their customers.

By offering security services (i.e., those that the customer can opt-in, deploy, and self-manage), providers will address the security issue head-on without eating into their margin or taking responsibility themselves.  In fact, by making services like encryption, firewalling, and identity management available as a premium add-on, providers will actually increase their margins, differentiate their services, and accelerate cloud adoption.  Finally, since these services will come through partnerships with third-party security companies, cloud providers will be able to get them online with relative easy, and without worrying about development and support costs.  In the end, everyone wins.

IT will increase their cloud IQ

54% of IT personnel say they have no knowledge of the risk of open firewall ports on cloud servers, according to the Ponemon Institute’s report on Managing Firewall Risks in the Cloud. Does that means that more than half of IT people don’t understand a very basic principle about their front line of defense – the firewall, that if you leave a port open you’re potentially putting your server at risk?  Well, not exactly.  IT folks absolutely know a thing or two about firewall security; they just don’t yet fully understand the dynamics of cloud infrastructure and its risk.  IT and security professionals know, for certain, there are security gaps in the cloud, but because the infrastructure is a bit ‘cloudy’ to them, they don’t know exactly where the threat/risk is.  We see this in a few of the other reports findings, where 90% of respondents perceive their cloud servers to be vulnerable or potentially at risk (i.e., they know there’s a threat), according to the Ponemon study.

Over the next year, as adoption continues to increase, users will become much more educated on the architecture and process changes that need to occur to make the cloud safe.  Fundamentally, if you’re going to change the architecture of your infrastructure, you’re going to have to make some changes to your security.  That means IT and IT security personnel are going to have to better understand the infrastructure – to raise their cloud IQ, if you will – in order to figure out how best to secure it.  One approach is for enterprises and cloud service providers to automate and centralize cloud firewall management across all servers and clouds.  This is the approach offered by Dome9, which supports clouds, virtual private servers, dedicated servers, and Amazon’s EC2 Security Groups, across all major operating systems and service providers.

###

About the Author

Formerly a director at Websense, Dave Meizlik is a seasoned marketing executive with experience developing and implementing marketing programs, go-to-market strategy, and marketing and creative communications. Dave brings more than a decade of IT industry experience and is a recognized expert in IT security. He has worked with hundreds of customers, and is an in-demand speaker at conferences.