I like your post, and think you have some vaid points. Here are my observations:
Control - The fears companies have about losing control of their data if it is hosted in the cloud are not unfounded. It is up to each company to properly classify their data, determine if the benefits of hosting the data in the cloud is worth the risk of unauthorized disclosure, and then develop controls for cloud-hosted data that address the risk. I think this is one of the reasons why hybrid cloud is getting a lot of traction. Some companies are hedging their bets and keeping the crown jewels close to the home.
Security - Again, these are valid concerns. One way that companies can address their concerns about future audit headaches is to get the auditors involved early in the analysis and design phases of cloud adoption/migration projects. Auditors should be able to suggest controls for cloud technologies that meet policy and regulatory requirements. It's too late to get auditor advice once the solution is up.
Jobs - Yep. When considering only the money spent, the OPEX model of cloud is often ends up being more expensive than the CAPEX model of on-prem. Companies then often offset the additional cost of cloud through redundancies/layoffs/outsourcing of IT Operations staff. It's debatable whether or not this will end up being a long-term trend. What is incumbent upon each and every one of us is to adapt to the times. Get as much experience as you can. Utilize resources like the free Amazon EC2 instance. Study. Certify. As with everything in tech, cloud will continue to evolve. It's not going to go away.
I dont but have tried and failed the CCSP already (by 2 questions :-() but it doesnt matter
whether i fear it or not where i am we are well into it.
I also find that once you have the cloud , suddenly you have a heap of new security devices
which you have paid for and need to use.
If you are on AZURE for instance you have microsoft cloud app security (an addalon CASB
bought by microsoft and therefore rather good), also the Microsoft security centre which is
also an aquired security device so thats good.
Now to develope some policies , get this gear monitored and working !
Thats a bit of a challenge!
You make very good points as to why people are concerned, but I would like to expand on those concerns with why they may not necessarily valid if an organziation takes the time to properly plan.
If architected and implemented correctly (BIG caveat), organizations have complete visibility of their resources in the cloud...there aren't any servers hiding under someone's desk. And with features such as AWS' Organizations, an enterprise can manage and govern all of their AWS cloud accounts to monitor and enforce enterprise policies.
The key to success is understanding the shared responsibility model and be diligent for your portion in the cloud. All of the news about breaches in the cloud have been from cloud customers not protecting their portion and not taking advantage of all the security features and warnings - no encryption, public access, posting credentials in code on GitHub, etc.
Taking things to the next level, an organization can automate and scale security so that very little human intervention is required. So not only can the cloud (with the right provider) be just as secure as on-prem, it has the potential to be more secure than on-prem.
We simply need to apply the same lessons learned from traditional IT to the Cloud. You can't rely on a new Firewall out of the box, it is your responsibility to configure it properly and maintain it. It is the same for cloud services, there are some default security settings, but it is still the customer's responsibility to configure, monitor, and maintain security.
Agreed. Just like driverless cars, the new technology doesn't have to be perfect, just better than the alternatives. But is should be better. Whether it is, will always depend upon how well it is done in house, and how well an outsource provider does it. An outsource provider who specializes in the service offered and gains economies and efficiencies of scale CAN be better.
With cloud, we must also be mindful of where their responsibilities end and what remains for the consumer organization. It is not a magic bullet.
There are a few great articles on Netflix and their "chaos monkey" process that speaks to your point. Moving to the cloud alone doesn't create availbility, rather properly architecting availbility in the cloud and reguarly testing availbility creates availability.
I work for a fortune 500 that has opted to move everything to the Cloud and if a system migration to the Cloud is not feasible ( like mainframe) then to contract a MSP.
I am firmly of the opinion that the business drivers of the decision to move to the Cloud largely determine the end-state security posture of systems not the Cloud technology itself. I would advise not to fear Cloud technology per se but trepidation of the specific business drivers of moving to it is valid - as those will determine your future security posture in the Cloud.
It is entirely possible, and I would argue likely, that a corporation's security posture will be substantially weakened in the Cloud if the "primary" driver is near-immediate CapEx and OpEx reduction rather than system availability, business agility or even increased operational automation.
Nice read and I agree.
The cloud is an important asset to businesses. We need to embrace it beacuse at the end of the day it is about keeping the business up to bring in profits.