Businesses need to think “bank grade” rather than “enterprise grade” when it comes to cloud security, Mike DeCesare says
LAS VEGAS – Many organizations make “the mistake” of expecting the same security standards they run in-house of their cloud service providers, McAfee co-president Mike DeCesare told attendees of the company’s Focus 2012 conference. Instead, DeCesare suggested, companies need to hold their cloud providers to a higher standard when it comes to security best practices.
DeCesare describes it in financial services terms – an individual is expected to make reasonable and serious efforts to protect their own money and assets.
But the bank that holds the assets for many thousands or even millions of customers? They’re expected to do a whole lot more to keep those pooled resources secure.
So too, businesses running applications (or facilitating applications running) in a massively multi-tenant environment should shoulder a greater security burden than should the average business.
It’s not the cloud providers’ fault – too often, DeCesare suggested, companies approach the transition of the cloud by looking at their on-premise security best practices and asking for those to be replicated in the new cloud environment. And he’s quick to point out he’s no less guilty of this than anyone else – McAfee made the exact same mistake, initially, after a “pretty rigorous process” in deciding to move McAfee’s CRM solution to th cloud.
“We fell into the same mistake,” he said. “We looked at our policies internally and said ‘can you match these”’ As we move more into the cloud, it comes on all of us to make sure that the security of these cloud providers is up to snuff.
The advancement of cloud computing, DeCesare said, “complicates things,” but many organizations have already put many of their crown jewels – employee information, customer data, sales forecasts – into the cloud.
In his keynote, McAfee CTO Mike Fey suggested that big cloud providers, with their size and scale, are big targets for attacks, but also have the resources and abilities to deploy strong security of the type that IT departments simply can’t afford on a company-by-company basis.