No, not really. But it could be. Consider, if you will, the five essential characteristics of cloud computing (via SP800-145, as well as the CSA Security Guide):
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service
Keeping these in mind, let’s look at three quick scenarios where shifting the mindset to a cloud services approach, even within traditional IT shops, can help reduce cost, improve efficiency, and improve security qualities.
1. Expanding Self-Service to Reduce Support Volume
Are users taking mobile devices home at night, running them on their personal home networks, and then bringing them back into the office? Are students taking their devices who-knows-where all Summer and then hopping back onto the res-net? Are users asking for access to applications or other computing resources? Are all of these scenarios driving up support calls at various times of the year?
Self-service can help organizations automate request fulfillment, as well as address common issues like malware infections. Consider, for example, combing NAC and endpoint profiling capabilities to assess and monitor devices, automatically quarantining them when malware or other suspicious behavior is detected, and then providing a portal to automate deep scanning and malware removal.
Or, as relates to the next point, imagine never having to directly talk to users when they bring their own devices into the enterprise. Instead, send them to a portal, capture a profile for the device, communicate policies and expected performance (e.g., clearly state the employee’s responsibilities for due care), and then enforce those policies and posture, such as through pushing down an integrated MDM solution, or relegating the device to a guest or limited-access network.
Onboarding new users? Once their initial profile is established, send them through a portal to communicate policies (such as those pulled from a GRC tool), allow them to self-enroll for remote access (e.g., VPN access), automatically route requests and then process as appropriate (approved or denied), messaging users accordingly. Provide similar capabilities for software, too. Do they need Visio as part of their core function? Provide the interface for the request, forward it to the manager for approval, then push it down or allowing them to come back and download and install the software.
Some of these ideas may be more future-state than “here and now,” but almost all of it can be implemented today, and it all represents a key attribute of the cloud computing model: on-demand self-service.
2. Resolving BYOD Concerns Using a Cloud Services Model
Is your organization – or maybe just your IT and/or infosec teams – struggling with how best to manage the BYOD movement? Shift your perspective. Shift away from the traditional layered mindset and simplify to a basic “inside” vs “outside” structure. Your services are all “inside,” while users and their devices are all “outside.” Tie in self-service for enrollment and management to help reduce onboarding costs. Pool resources using virtualization and other related technologies. Dynamically scale to meet demand. To the users, everything should look like uniform services, paying no attention to the man behind the curtain.
If your organization delivers everything as a service, then you also create the opportunity to start reducing bottlenecks and finding new efficiencies. The opportunity also then presents itself to move more toward a DevOps approach. IT ops and security ops can front-load their security within a standard gold image, working with Dev to ensure that everyone is working from a known good image. Updates can be rolled out seamlessly without having to make expensive notifications to end-users. Similarly, endpoint management can then become a measured service that is able to leverage off of the best technologies available, such as new malware solutions, NAC, and patch management.
The business exists to get work done, in alignment with the top-level business objectives. Make the “right” decisions be the easy decisions. Shifting to a cloud services model helps address many of the common challenges with BYOD, because it means you now assume all endpoints are clients from measurable lines of business.
3. Flatten Your Network, Fix Your Perspective
Do you still think about your enterprise as having onion-like layers where the Internet is outside, and then you have a DMZ, prod, and the LAN/WLAN? Does that model really work any more? From a cloud perspective, there’s only “inside” or “outside,” and the “inside” portion is going to be all your systems and apps that have traditionally been prod+DMZ. With wireless and BYOD, you can no longer assume that your local network is even remotely safe (one could argue that has always been the case, but it becomes starkly apparent now).
I would submit that the services you provide to your constituents are not really arranged behind layers so much as they’re in all in a flat, internally segmented (hopefully) environment. There may be one entry point or, more likely, there will be several border crossings. Where do you terminate your Internet access? Is it within a secured segment of your environment? Highly doubtful. More than likely, you have a beachhead off of which stems userland and the various production environments. The larger your org, the more likely it is that you’re pulling several ports off the main Internet access router to plug into various environments, rather than flowing all traffic through a single pipe.
If any of this sounds familiar, then congratulations! You’re far more cloud than you might have thought… in which case, why not take the next logical step and flatten your network? Instead of drawing concentric circles, draw an arc with wedges. Put bubbles (or enclaves) within those wedges, such as to represent dedicated storage that isn’t generally accessible except to specific systems within a given wedge (aka a security zone).
—
So… what do you think? Take a step back and try to view your environment as if you were a cloud services provider. Does this make your life easier or more difficult? Does it introduce new or different problems? Does it help clarify and reduce complexity? I look forward to your comments! And, yes… I do realize it’s 2013 and I’m talking about cloud as if it’s new… the difference here (sort of) is suggesting that traditional enterprises also approach their services as if they were a CSP, and reap the benefits accordingly. 