Foreword
Cloud computing is touted to herald in a new generation for computing. It is the future of information technology (IT), a mature manifestation of the Internet and the Cyberspace. However, I beg to differ. I see cloud computing heralds the coming of the IT Security industry.
For many years, historically, IT Security professionals plying their trade often came from a defence or national security background. They were used to an environment of secrecy and normally to socialize in a closed group. They mixed poorly with other groups of the organization or even society and preferred to conduct their business under a veil of secrecy and more importantly, fear. Hence, their favourite tool had always been case studies after case studies of infamous hacking incidents telling you why it was important not to be one of the firms! Any colleague could be a 007 secret agent working for some purported rival firms that would steal your technology. A system of distrust and silos was created. The security guy is most likely the most hated and feared figure in the company! And the security guy has never been boardroom power puncher, and most likely not even part of the organization’s executive team! In today's knowledge economy, it is common for information to be the main, if not, the only valuable asset for all organizations. So why is IT Security not in the corporate mainstream?
The reasons are not hard to comprehend. Firstly, IT has always been an expensive investment in any company, where its worth has never be adequately justified - which brings us to the security of these systems, related services and compliance requirements, which can be costly and take off a sizeable chunk off the IT budget. But these “security controls” have always been shrouded in secrecy, as it was the nature of security itself. Secondly, any presentation of what they do or function often ended up in a presentation overloaded with technical mambo jambo that only the Security team understands. As such, it is not hard to imagine that there are even more (unanswered) questions on the value of these IT Security purchases. This brings us to the third reason. Oddly, though we refer to IT Security with an “IT” and by its naming, assumes that it will be under the IT department, there is no consistency where the IT Security budget comes from. Sometimes it is from Finance, other times from Internal Audit. This situation is exacerbated with the various so-called “disciplines” that emerged over the years, and the seemingly unrelated regulatory requirements that come with it. We have seen IT Security, Data Privacy, Digital Forensics, IT Governance, Information Risk Management, IT Compliance, Cybersecurity, and even Homeland Security/Critical Infrastructure requirements that mangle up the entire space and makes definition almost impossible. Yet they are intricately related to each other. It all boils down to the internal “champions” who the department that “funds” such activities and thus the different references. In short, it is hard to find a champion within organisations consistently. You don’t have that problem with Finance, Human Resource, Sales, Marketing, for example. Not even IT!
However, with the introduction of cloud computing and the concept of Compute-as-a-Unity, we have reinvented the wheel. Or shall I say we pressed the reset button for the industry. The security industry is positioning ourselves as the “watchers” of keepers of the keys of the data that applications run on top of the cloud infrastructure that we come to term as “services”. In other words, IT Security is being positioned as a mainstream corporate services that have a direct impact, and therefore, demonstrate value to whatever business objectives that the company is set out to accomplish! So IT Security does not belong to any camp, whether IT, Finance, Audit, etc. and therefore the diasporas of whether it is called “Cybersecurity” or “IT Audit”. Based on the Compute-as-a-Unity model, security becomes a part of whatever services that is provided, just like you would expect potable water from a tap or electricity when you flip that switch.
Thus, I was extremely happy when Ryan and Raymond shared their thoughts with me on this book covering the Cloud Security Ecosystem. I believe this is the book to read for a totally new perspective that will hope to bring forth a completely different perspective and therefore understanding of the nature of cloud computing and what makes it tick—Security!