A close friend recently received a new credit card in the mail. To him, this was pretty surprising, because as he put it, his current card was still valid, and he hadn't applied for a new one. Thinking the worst, he opened the envelope and found that a letter also accompanied the card. The bank, which shall remain nameless, in very short, non-descriptive terms, advised my friend that his card had been compromised at an undisclosed location, and if he had more questions, there was a number to call. Unfortunately, that number was even less helpful, stating that no specific information about the breach or risk would be provided.
This sounds pretty absurd, and for my friend, there is a lot at stake, especially worry about his credit rating. He put his trust in an organization that has resources, well beyond his own, and at the very least he had an assumption, that this was a partnership in security. He was wrong on a lot of levels. Even scarier, this same belief is being practiced with the ever-increasing shift to the cloud through SaaS and IaaS.
Much like my friend, organizations place a lot of control in the hands of a third party. Data, and in many cases whole infrastructures (IaaS), now rest outside the boundaries of an organization's IT team. Perhaps with all that control out of our hands we can breathe a sigh of relief, and focus on what really matters - determining how to handle the inevitable security tsunami that has been triggered by all this movement to the cloud.
If that sounds a little apocalyptic, you may want to read a recent article posted at net-security.org. Covering a recent Ponemon Institute survey, Help Net Security found that, "... of 1,000 IT security practitioners and enterprise compliance officers revealed that less than half of all respondents believe their organizations have adequate technologies to secure their cloud infrastructures." In more direct words, that means all the warning signs are there, the professionals have weighed in, but organizations are still moving forward.
This article has a lot of frightening statistics, all of which seem to point to the fact that most organizations seem to be rushing to the cloud without proper preparation and tools to manage security. While it doesn't point to any single, driving fact, or issue, these early adopters are most definitely excluding, or perhaps more accurately losing, the control that they have with tight Change Management and Configuration Management processes, controls, and systems. Without these, what you are really setting yourself up for is a letter sent through physical mail, that's ambiguous and vague. A letter, that as as service to you, let's you know something happened. But what happened, to whom, and how bad it was are left buried in the ether.