Embed Size (px)
DESCRIPTION
Citation preview
Market Pulse
“It’s possible to do as good a job securing the cloud
as the local infrastructure, but it is more likely that
someone else has better economies of scale and
the specialization needed to help do it better than
you ever could,” says Chris Shull, director of informa-
tion technology for the Jewish Federation of Greater
Philadelphia.
IDG Research Services recently conducted an online
survey of 122 business and technology leaders across
a range of industries to gain a better understanding of
cloud security trends. Among its conclusions:
n Security for the cloud is a concern, but it is not as
troubling as other data threats.
n Nearly half of those surveyed use or plan to use
a hybrid approach to managing security for cloud
environments.
n A number of technologies are being deployed to ad-
dress security concerns, including integrating the exist-
ing security infrastructure into cloud environments.
Embracing the Cloud IT service models are evolving at record speed, though
none faster than cloud computing. CIOs everywhere
say they are considering the merits of the cloud com-
pared to traditional on-premise delivery. Specifically,
they say, cloud models enable enterprises to leverage
third-party expertise and more attractive economics,
while on-premise services offer greater control.
It leaders cite benefits, downplay security as they move applications to the cloud.Will security worries be the undoing of cloud adoption? Not likely, given other,
more pressing threats like device theft, mobility and IT consumerization. And with
new technologies able to mitigate the real and perceived risks inherent in hybrid
clouds—the combination of internal and external services—IT leaders say they
see opportunities to up the ante on security for greater end-to-end protection.
reaching for the Cloud
With advantages to both approaches, a hybrid cloud
strategy is increasingly becoming the preferred option.
In fact, 47 percent of those surveyed by IDG are using
at least one application and/or a portion of their com-
puting infrastructure via a hybrid cloud model, while
another 53 percent plan to do so in the future.
Those users confidently point to the top-line gains
from hybrid cloud deployment, including greater
market flexibility, improved business continuity and
innovation, superior customer service, a stronger
competitive edge and expanded revenue opportunities.
They also cite bottom-line efficiencies such as reduced
resource waste and savings on the CapEx front (see
figure 1).“My executives are thrilled to have more
features and capabilities, greater accessibility and bet-
ter security, all at a fraction of any reasonable cost one
could put on in-house systems,” Shull says.
Still, many IT professionals are reluctant to relinquish
management responsibility to outside parties. “Hybrid
cloud implementations effectively straddle internal and
public infrastructures, and can introduce complexi-
ties,” says Martin Capurro, director of Applications and
WP101366 12/10
Market Pulse
2
Infrastructure Solutions for Qwest, a network services
provider based in Denver. Working with two separate
infrastructures, CIOs must coordinate efforts, commu-
nicate and even share data with their cloud provider.
What’s more, today’s fluid perimeter—pocked with
mobile devices and social networking sites—becomes
harder to monitor in a hybrid environment.
Sorting Out Security Those issues eventually give way to the nagging
security concerns in the cloud, the greatest of which
is the protection of sensitive data. Survey respondents
are most focused on preventing data leaks, setting and
maintaining security policies, managing data access,
preventing intrusions and maintaining compliance (see
figure 2). And those risks can be compounded by a
dual environment. “A threat in one environment could
permeate the other,” explains Troy Herrera, enterprise
marketing director for Juniper Networks, a network
infrastructure provider based in Sunnyvale, Calif. A
hacker who gains access to a cloud application, for ex-
ample, could make his way into the enterprise network,
while an error in access control rights on the corporate
network could affect cloud application security.
Yet the security of the cloud does not appear to be
as pressing as other threats, with only 49 percent of
survey respondents considering cloud
security to be a significant risk. Seventy-
five percent consider lost or stolen devices
to be a significant security risk, 65 percent
fret about IT consumerization, and 56
percent worry about mobility.
All said, only 40 percent of the technol-
ogy and business leaders surveyed are
extremely or very confident that their
security infrastructure is prepared to pro-
tect data in the cloud. And that has them
weighing their cloud security options: Is it
better to own all aspects of security or to
outsource the whole function? On-premise
implementations offer a single security au-
thority, more control over data protection,
full visibility into one’s risk and compliance
posture, and less complexity. Managed services, on the
other hand, release CIOs from the financial and man-
agement burden of in-house solutions while enabling
them to leverage the security resources and expertise
of a third party.
“In biology, hybrids are often bred to gain the best
features of multiple breeds,” Shull says. “So is the ad-
vantage of combining multiple technologies to ensure
better security.” Some 45 percent of the survey respon-
dents agree, indicating they prefer a hybrid or mixed
approach to cloud security. With a mixed security
model, CIOs can maximize the advantages of managed
security services while maintaining control over their
critical data protection strategy.
Outsourcing to a third party can also be an afford-
able way to add security capabilities when budgets
are tight. Of course, there may be challenges in terms
of visibility and the ability to enforce security; but,
by working together holistically, communicating, col-
laborating and sharing reports, the internal-external
partnership can prove very beneficial.
Integrating Internal with External “A service provider can complement what you’re doing
and even enhance protection,” Herrera explains. “The
Benefits of a Hybrid Cloud Approach
Source: IDG Research, October 2010
Greater flexibility to react to changing market conditions
Reducing resource waste
Enabling business continuity
Savings on CAPEX
Enabling innovation
Improving customer support or services
Gaining a competitive/ information edge
Expanding revenue opportunities
Other
Don’t know
51%
48%
47%
43%
37%
34%
25%
19%
8%
3%
Market Pulse
3
to extend the network into the cloud.” Of
course, the networking component is still
evolving. Today, it’s all Internet-based, but
eventually the cloud will be delivered on
different fabrics, such as Ethernet. That
will enable technology leaders to create,
deploy and manage their infrastructure as
they have in the past, and thus maintain
the desired level of security, performance
and control over operations.
It’s equally important to establish process
integration. Setting up procedures by
which partners can share reports and
logs is critical, as is agreeing to common
escalation procedures, security policies
and compliance milestones.
Still, some level of separation can be advantageous:
“Keeping the multiple parts of our hybrid and multilay-
ered defenses disconnected adds important indepen-
dence and resiliency to them,” Shull says.
Investing Wisely As for specific technology integrations, CIOs have
zeroed in on the most pressing hybrid cloud security
concerns. Most respondents—about 80 percent—say
they have already implemented anti-virus, spyware,
spam filters and VPN technology. Web filtering, intru-
sion detection, network access control and firewalls
are nearly as popular (see figure 3). “These core tech-
nologies have been part of IT for a while,” Herrera says.
“Now CIOs need to focus on upgrades to accommodate
the changing environment and performance shift that
come with cloud infrastructure.”
New technology investments are critical as infra-
structure becomes more complex. The top priority for
50 percent of respondents going forward is security
incident and event management (SIEM), which offers
crucial visibility into event anomalies and provides a
centralized portal in which to view logs. Data loss pre-
vention and identity and access management (IAM)—
which can work in conjunction with one’s NAC solution
to protect data and enhance access control—were also
key is to implement the proper security measures with
the goal of achieving end-to-end security, and to be
cognizant not to weaken security along the way.”
One of the IDG survey respondents concurs, advis-
ing that CIOs “start by extending existing capabilities
into the cloud.” Security has long been integral to
internal infrastructure, and those investments should
be expanded into the cloud. Some 82 percent of
respondents agree, saying interoperability with existing
security solutions is very important.
Many security solutions can work together, whether
on-premise or in the cloud, Herrera adds. For example,
an in-house network access control solution can
identify users by communicating with an outsourced
VPN. A Web services application secured in the cloud
could store underlying data in an internal SAN. And a
service provider offering can federate with the internal
environment to protect and enforce identities. CIOs
just need to coordinate with their vendors to ensure
interoperability.
Part of that process, Capurro suggests, involves inte-
grating core infrastructure elements with the cloud
environment—including the network. In fact, one
respondent cautions technology leaders to “make sure
that the hosting provider has a clear strategy for how
Cloud Security Concerns
Source: IDG Research, October 2010
Preventing data leaks
Setting and maintaining security policies
Managing access to data
Detecting/prevent intrusion
Keeping compliant with data retention laws and regulations
Encrypting data
Backup and recovery
Detecting/prevent viruses and spam
Managing patches
61%
56%
54%
52%
52%
49%
49%
48%
36%
Market Pulse
4
cited as likely investments in the coming year.
Capurro believes IT professionals should put more
stock in service level agreements as well. Cloud envi-
ronments must provide not just scale and flexibility, but
also performance assurance, including speed and avail-
ability. Application performance management solutions
can supplement those agreements and give CIOs the
visibility they need to monitor platform performance.
Provisions must be made for data portability in terms
of moving and retrieving data.
The Bottom Line Since moving certain critical business applications,
including e-mail, to the cloud, Shull says he is “enjoying
better security” than he could provide in-house. The
IDG survey respondents already using cloud services
agree: They expect hybrid cloud implementations to
enhance security through improved service perfor-
mance, 24/7 support, higher levels of expertise, a reduc-
tion in dedicated security staff resources and lower
security management costs.
So can CIOs really trust the cloud with their most criti-
cal data? “Absolutely,” Herrera says. “You just have to
be smart in its management.” So go ahead and reach
for that cloud—and its silver lining.
About Juniper Networks
Juniper Networks is in the business of network innova-
tion. From devices to data centers and consumers to
cloud providers, Juniper Networks delivers the software,
silicon and systems that secure infrastructure and trans-
form the economics of networking. For more informa-
tion, visit (www.juniper.net).
About Qwest
Building on unparalleled network services, Qwest helps
businesses leverage existing and emerging technology.
In addition to services utilizing over 173,000 network
miles, Qwest has technology and expertise that extends
to broader applications and technologies. For more
information, visit (http://www.qwest.com/business/
solutions/why-qwest/list.html
The right approach to securing a hybrid cloud
infrastructure can quickly dispel any lingering
doubts about data protection. Some of the IDG
survey respondents offer the following advice:
Do the proper planning. “Understand your
company’s current needs as well as those for
the next five to 10 years. That will save you
time and effort as well as money,” says one
respondent. CIOs are advised to take their time
and think holistically. Others suggest engaging
in a third-party security audit, site inspec-
tions, penetration testing and piloting before
deploying any solution. And always read the
fine print, they say, especially in service level
agreements.
Shop for the right partner. “The cloud is as dan-
gerous as posting your data to Facebook if you
have not done a security review of the cloud
vendor,” warns one respondent. CIOs should
make sure they know who they are dealing
with. Understand not just the vendor’s security
practices and infrastructure capabilities but
also their long-term plans and financials.
Partners should be well rounded, with multiple
offerings and expertise in transport as well as
security products.
Choose solutions carefully. “Use only trusted
solutions,” advises a respondent. When it
comes to infrastructure, CIOs must evaluate
an offering’s scalability and performance.
Establish a “trust zone” for data protection,
and inspect data center facilities. Technology
solutions should be geared toward longevity—
consider open-standards approaches to
ensure interoperability with new technolo-
gies. Look for manageability and operational
simplicity. And whenever possible, strive to
consolidate multiple security solutions onto a
single platform.
A Few Words from Your Peers
