Concord's resident security expert Scott Ammon shares his tips for the wisest use of your dollars.
The Cloud Security Myth
There’s this persistent myth around the cloud that it’s less expensive to secure, but the truth is your cost will largely depend on the amount of control and visibility you desire. When you move data into a cloud service offering, you gain access to a “one-size-fits-all” solution. In some cases, that might do the trick, but in most mature organizations you need to determine how much control you’re willing to give up. You can have full control and transparency if you’re willing to spend the money.
In fact, there are a lot of reasons why security getsmoreexpensive when you move to the cloud. There’s less ability to monitor and manage your data or even really understand where it’s located. Your data can be all over the world, which increases privacy and compliance risk, if not executed properly. It all comes down to total cost of ownership – if you’re willing to invest in security up front and take the time to design it properly, you’ll be better off in the long-term.
The current maturity level of your organization’s security program will dictate your cloud security maturity. A lot of people think that by moving to the cloud they can improve their overall security maturity, because it’s a new environment and you get a “fresh start.” The problem is, if you are starting out with a low maturity security program, you’ll have the same problems in a cloud environment – or worse yet – you’ll have two separate security profiles, which is more complex and expensive to manage.
Boiling the Ocean
You can never control the threats, but you can minimize your exposure to those threats by having integrated design teams create your cloud environment and developing both a transition plan and a long-term run plan. The pain of moving to a new environment is real. A transition plan will help you through that process, knowing it’s not the top level maturity security you need long-term. Once you’ve made the leap, you can upgrade from the bare minimum and start implementing on the long-term plan. The most important advice I can give is to work in stages – don’t try to boil the ocean, but take small steps to get towards your ultimate security program goals.