With the exception of the iPhone ‘S’ versions;, The Cloud is perhaps the most irritating concept of the last decade. It is the definitive re-branding of an existing service in order to drive new business in an era of doubt and uncertainty.
Security issues have become far more mainstream over the last few years, and lawmakers in every country are struggling to keep up with the demands for better protection of personal data. So what we have now are hundreds of companies providing cybersecurity services ‘In the Cloud’. As though this is something new, and a must have for all organisations.
Breaking it down into its simplest terms, services in the cloud are services provided over the Internet. Haven’t we had this for quite literally decades? Why is the service to manage your firewalls suddenly a Cloud service, what’s wrong with simply calling it a MSS?
There are really only two valid ‘Cloud’ services;
1. Access to applications or resources you don’t have, and;
2. Distribution of functionality.
Everything else you do ‘In the Cloud’ is simply outsourcing, which is a perfectly valid, and often the best option.
Like everything else in security, never buy anything based on either a perceived need, what is the latest-and-greatest, and especially not a compelling sales pitch. All capital expenditure, and moves toward outsourcing start with a business need, not external influences. This includes compliance to regulatory standards.
You don’t need Cloud per se, you need a business process made cheaper, more efficient, or more competitive. HOW you get that done MAY include Cloud-esque services, but that will be determined by your Risk Assessment. Not by your CEO who read an article on his/her way to work, and certainly not by the fear of not having the latest toy.
Cloud services also add a layer of complexity that will generally be missing from most bespoke managed services; shared resources across multiple clients. Who has access to your data? How is your data kept separate from everyone else’s? Because Cloud is a relatively new phenomena, SLAs and contract language has yet to catch up, so vendor due diligence takes on additional import.
In terms of providing a platform expertise that you don’t posses, or an operational resilience you simply can’t afford, Cloud may be an option. That said, you have best be sure your ‘Cloud’ provider has designed their service from the ground up, and not adjusted their marketing material. The latter, sadly, is by far the most prevalent.
Bottom line; do your homework, and run your needs by a security expert before taking the plunge.