The cloud is, perhaps, the epitome of de-perimeterisation. If you take the definition of this being the removal of boundaries between the enterprise and the outside world it's pretty much bang on the money.
It's easy to assume, therefore, that de-perimeterisation in the information security sense is the answer to your cloud security concerns. It isn't, at least not the complete answer. For the more rounded solution you need to throw re-perimeterisation into the mix and let the two bang heads. I appreciate that this sounds more than a little contradictory, but when you think about it there is plenty of method in the apparent anarchic madness.
I've spoken before about security at the edge of the cloud where I argued that the cloud, and virtualisation in general, was forcing a transition from network-based boundary security to a broader edge-based scenario. Then, and many times since, I have stated that at the strategic level data has to be at the centre of security policy and this means the application of multiple protection levels including encryption and authentication as primary requirements. This is de-perimeterisation at work, the evolution of information security away from the 'castle and moat' approach of old which relied on hardened perimeters to keep the bad guys out. Castling and the cloud, it would appear, do not secure bedfellows make.
Appearances, as we all should know, can be deceptive. So while there is little argument within the IT security industry that mixing encryption, secure protocols, secure systems and data-level authentication is a 'good thing' as far as the cloud is concerned, it's not the only thing.
Securing from the centre outwards, focusing on your data rather than the network edges, is a given; live with it. Ignoring perimeters completely, though, is a sure fire way to weaken your security posture considerably. Which is where a degree of re-perimeterisation comes in to play. Think in terms of 'boundaries of control' and the bigger security picture starts to form. Identifying where these are and then applying your security methodology to them, again from the inside out with a data-centric focus, is key to a holistic and rounded cloud security posture.
Re-perimeterisation means understanding and accepting that the virtualised or cloud environment does, actually, still have a secure perimeter but it has just been moved somewhat. Your mission, and you have to accept it or suffer the inevitable consequences, is to determine where these new perimeters lay and ensure you have control over securing them accordingly. De-perimeterisation and re-perimeterisation are not mutually exclusive processes. Quite the opposite in fact, you need both to secure the cloud...
