Just about a year ago now, Cloud Pro reported how Fujitsu had entered the 'what the heck is the cloud' debate by publishing a white book of cloud adoption to coincide with the launch of its enterprise cloud consulting service.
Now the same company has decided to try its hand at explaining cloud security for business users, and the resulting White book of Cloud Security should be available for download at the Fujitsu website by the time you read this. If it isn't, or you want a hardcopy dead tree version of the thing, then you can request a free copy of either directly by contacting askfujitsu@uk.fujitsu.com
I'm all for getting the cloud security message across, minus the FUD and hyperbole, which is why I am both a writer for, and an avid reader of, Cloud Pro after all. However, there's always a shiver running down my spine in anticipation of the worst when that security message comes by way of a vendor or service provider with a vested interest in taking the rose-tinted spectacle viewpoint. Why would such an organisation go to the not inconsiderable expense and trouble to produce something warning potential customers to beware of the dog, as it were?
So it was with some trepidation I started to read the Fujitsu effort when a pre-publication copy landed on my virtual desk a couple of weeks ago.
Things didn't look too good when pretty much the first thing that hit me was the preface by Fujitsu CITO David Smith proclaiming "there is one overwhelming question that is still causing many CIOs and their colleagues to delay their move to cloud: Is cloud computing secure?
A simple answer to this is: Yes, if you approach cloud in the right way, with the correct checks and balances to ensure all necessary security and risk management measures are covered".
My problem with this being that when dealing with an issue as complex as moving your business into the cloud, simple answers are never really that helpful to be honest. Especially when they are condensed, in effect, to either being a yes or no.
Smith does redeem himself a paragraph or so later when he admits that "many unwary businesses have found to their cost in recent high-profile cases, a single cloud-related security breach can result in an organisation severely damaging its reputation - or, worse, the entire business being put at risk". That's more like it, a huge injection of reality into the debate is what is needed and by promising to provide "a clear and unbiased guide to navigating the complexities of cloud security" perhaps the Fujitsu guide might not be a useful resource after all.
The first chapter asks the question 'Is cloud computing secure?' and provides the answer as a start of chapter summary, for those CIOs who cannot spare the time to actually read the meat and potatoes of the document, which quite correctly and clearly states "by employing multiple layers of defence and a robustly designed cloud architecture, organisations can confidently answer: Yes, it is secure enough".
It would be a shame if those CIOs didn't invest some time in reading the actual content though, as it is surprisingly well structured. I found myself particularly drawn to the table explaining the security characteristics of different types of cloud implementation, for example, which quickly gets the 'all clouds are not equal' message across.
And, fair play to Fujitsu for not playing the everything is rosy in this cloud garden card by covering such issues as "CIOs should not assume service providers will be able to support electronic discovery, or internal investigations of inappropriate or illegal activity. Cloud services are especially difficult to investigate because logs and data for multiple customers may be either" as well.
While I was concerned initially that there would be an almost inevitable level of over-simplification at play here, and my major concern being that a highly complex subject such as cloud security cannot survive over-simplification if the end result is going to be a properly informed business decision, I have to take my hat off once more to the Fujitsu team for the 'Cloud Security Simplified' chapter which does a sterling job of proving me just a little bit wrong.
I say just a little bit rather than rolling over and letting Fujitsu tickle my tummy on this one as the chapter actually confirms my original belief. What it actually does, you see, is build on the basis that any coherent security strategy involves many different aspects that touch all parts of an organisation and for it to be effective then CIOs and their teams need to properly understand the implications of the technology on operations. This chapter lays out the key considerations to enable CIOs to do just that in an at a glance style using Venn diagrams and lists.
Having worked through the following chapters covering confidentiality and data integrity, I arrived at what is the real heart of this white book for me: the cloud security checklist. I love checklists of any kind, I couldn't survive my working day without ticking boxes and checking tasks, I'm one of 'those' folk.
When it comes to considering security strategies a checklist is not just for the obsessive personality types such as myself though, it's an essential tool for everyone. And this particular checklist is just about spot on; coming in two parts it helps guide CIOs in their determination as to whether the security team itself and the rest of the enterprise is fit and ready for a secure cloud implementation. The questions are a little simplistic, but once again I have to concede that simplicity works in this scenario.
Well done to the team at Fujitsu for putting together this guide, not least as it is not a product hard-sell marketing campaign in disguise, with the Fujitsu cloud offerings not mentioned until the very end of the thing and even then given just a single paragraph. What it is, is a nicely structured, clearly written and informative guide to any business seriously considering a move into the cloud.
