The differences between cloud adoptions from one organization to another are very interesting to me. Working with a variety of businesses, I have learned that each takes its own approach to embracing cloud solutions without a 100% direct correlation between specific industries or size. This phenomena could be the result of the personality and experience of the current IT and Security leaders in place, or simply the culture of an organization who likes to do everything themselves vs. outsource capabilities. While there are obviously some similarities between cloud acceptance and organization type, corporate culture seems to be the larger variable in play for the adoption of cloud.
Cloud Information Security Cultural Transition
This cloud culture seems to apply to any cloud solution decision, whether IaaS, PaaS or SaaS. Organizations are either all-in with cloud, dipping their toes in the water with cloud or avoiding cloud altogether. No matter what your current culture, cultures can change over time, and I believe there is a logical transition that can occur to safely migrate to a culture of cloud acceptance. Just as CEOs can strive to change corporate culture within their organization to meet specific goals, CISOs and CIOs can evolve IT culture to help meet business goals as well. However, this should not be a forced migration because security issues as well as operational issues can occur. Both IT and Information Security capabilities need time to evolve and mature. As cloud culture evolves and matures within an organization, start with smaller initiatives and grow from there.
Successful transition to a cloud culture should follow a path that is driven by risk-based decisions where low-risk decisions are made first. If you are part of an organization who chooses not to invest in any cloud-based technologies, a great way to become comfortable with the concept of cloud (with minor risk) is to select a SaaS solution that contains minimal or no sensitive data. By starting down this path, you can develop information security processes to review cloud vendors and become comfortable with the overall concept of cloud.
Cloud Information Security Maturation
When it comes to securing information, using a framework such as the Cloud Security Alliance Cloud Controls Matrix can really help build information security competencies without reinventing the wheel. Vendor due diligence is critical. Information security leadership skills are required to influence both vendors and internal business resources to modify processes to ensure security is realized.
If the initial Software as a Service solution goes smoothly, other SaaS solutions should be entertained with increasing risk and correspondingly increasing maturity around information security cloud management practices. At this stage, the business and IT operations should be over the hump of the cloud/no cloud barrier and further investments in cloud solutions can be pursued in line with your growing maturity of IT and Security cloud capabilities.
Obviously, low-risk choices around IaaS and PaaS could also be entertained if they pose no direct risk to the organization, but my experience has seen most organizations begin to accept SaaS solutions first, which then corresponds to a gradual culture swing which allows information security departments to adapt slowly and confidently. With the initial barrier broken, IaaS and PaaS can be introduced with minimal trepidation.
Yes, there are risks with cloud, just like there are risks with internal systems, but cloud initiatives are here to stay. Therefore, every organization needs to adapt and change their approach to IT and security in order to safely reap the benefits. Begin the journey to the cloud by first engaging in low-risk solutions and grow from there.