Cloud Beats Most In-House Security, Says IBM CTO
December 6, 2010 Dan Burger
Cloud computing is confusing. It helps if you study it in bite-sized portions. For midrange shops running their core business applications on the IBM i and OS/400 platforms formerly known as AS/400, iSeries, System i, and now Power Systems, there are three considerations that should grab your eyeballs. They are skills, security, and services. You can look at them individually or in combination, but they will likely be a primary factor in whether the cloud is important to you now or in the near future.
We have cloud proliferation. Every day new clouds come puffing out of virtual smokestacks, if you can picture that. Each has its own purpose and may or may not be platform specific, which has a bearing on whether iSeries shops will pay attention to them. Just like any enterprise software, all clouds are not created equal and one cloud does not fit all. Decisions would be a lot easier if that was not the case.
Behind many cloud decisions is a desire to offload IT. Although it’s often thought that technological advancements increase efficiencies and reduce complexity, the advancements and the efficiencies often arrive by themselves. Reduced complexity seems to miss that bus most of the time. As a result, businesses are on an IT technology treadmill that keeps them searching for employees with the skills that are keeping pace. Not all companies have done this effectively. The reasons are usually attributed to this being a distraction to the mission of the company, the scarcity of skilled people or the costs associated with acquiring the technology and the skilled staff.
Every business has its own situation, but IBM i shops have a reputation for complaining about a dwindling number of IT professionals with modern skills. Executives who face that situation today or see it as an issue coming sooner rather than later might see the cloud as relief as the pressures to maintain existing systems can be moved to a cloud with the expertise to keep the business running smoothly.
Anyone who’s been mildly curious about cloud computing has read articles detailing the cloud-busting obstacle that security has been when it comes to executives’ unwillingness to venture into the great unknown. This is more of a concern to not very particular consumers than it is to very particular businesses.
I talked with Harold Moss, the chief technology officer of cloud security strategy at IBM about the security concerns. He echoed the “not all clouds are created equal” truism, and added that IBM clouds were more secure than most companies’ in-house security because companies struggle to apply the appropriate levels of security and also with the interpretation of security information they collect.
We’ve learned as much from the annual State of the IBM i Security survey and report produced by security software vendor PowerTech. Although the IBM i is an extremely secure platform, it is rarely used to the level it is capable.
“Our view is that the cloud can be more secure than the traditional environment,” Moss says. “First, there is the increase in security services. We can help organizations that don’t have enough resources to manage their in-house security requirements. As it is now, organizations are not taking care of business when it comes to security.”
In his unabashed endorsement of IBM services, Moss recommends IBM’s managed security services, where skills are current and expertise covers specific platforms as well as multiple platforms. They get packaged and delivered in a manner that might be called security as a service.
“Security is very complicated,” Moss says. “Where there used to be one dedicated system on which to manage security, now there are multiple systems and they are communicating with each other. There are mobile devices punching holes in the firewall and information is being shared with partners. In my opinion, with managed services you get a better level of quality because it’s a deeper investment.”
Returning to the topic of cloud security, Moss says it’s not right to paint all clouds black when it comes to security. Different clouds will have different levels of security, he says. And a generic checklist approach to security doesn’t necessarily work, because security needs varying according to workloads.
“There’s no need to build in things that will never be used,” Moss says. “Capabilities like anti-spam and anti-phishing are unnecessary in a development and testing cloud. Think about what you are doing in the cloud. If it’s accessing and protecting data, there are specific security needs that pertain to that.”
What IBM is saying is that it has more money to invest in security than most customers do. And because it sets out to hire expertise, it has a better chance of creating a more secure environment than most customers. If economy of scale is a factor–and it should be because IBM plans for multiple customers to share the cloud–this should be less expensive than building similar security in-house.
“People don’t apply security because they don’t want security,” Moss says. They don’t apply security because it is not cost effective. They can’t get a return on their investment. Security is not understood before an incident happens. It’s looked at as having to hire a person or persons and buy some equipment. This doesn’t make sense to an executive unless it can be tied to an impact. In this case, the impact is rarely forcing the issue.”
IBM has a huge presence in the security business. Through its software and services, it manages more than 7 billion security events daily. Its X-Force branch employs more than 15,000 researchers, the company holds more than 3,000 patents in the security business, and more than 4,000 customers outsource their security to IBM. It has also created the Institute for Advanced Security, a group focused on cybersecurity research and development.
Even with all the cloud evangelism ringing in our ears, the momentum remains chiefly with smaller applications and databases that seldom qualify as mission critical for traditional businesses. Moss calls that a “point in time” statement and predicts more transition to cloud-based systems. As part of that transition, he says, there will be increased investment in public and private clouds. The confidential information will be kept in private clouds. The public clouds will handle not so sensitive information.
Retail organizations are required to share a great deal of information and this industry is moving to the cloud. Wal-Mart, for one, is pushing for this to happen. Retailers are not ready to put all their critical data out there, but with all the PCI services in the cloud there is interest beyond the curiosity level.
“IBM is betting heavily on the cloud for a reason,” Moss says. “We believe more companies will go in that direction.”