Clouds tout their rapid elasticity, infinite scalability and commodity pricing when wooing developers and operations engineers. While these are some of the sexier features of today’s cloud infrastructure providers, they are not the ultimate differentiator that will win the hearts and minds of the desirable CIOs running the Fortune 5000 enterprises. What magic trait will cloud providers rely on to earn the hearts of these power players? Security – the elusive and forever-moving target for many organizations.
Nearly every public cloud offers similar virtual machines, storage capabilities, traffic load balancing, network policies and other traditional data center constructs. These are considered commodity services … the table stakes that must be paid in order to enter the race. More advanced cloud providers offer additional services to make development and management of cloud native applications even easier: queuing, data workflows, mobile back-ends, code pipelines and many others. Yet, they still all compete for the same customer entering the market. How can they really focus on delivering key strategic value?
This question is answered by entering the world of compliant clouds, or tailor-made security clouds (or regions/zones) purposefully built to satisfy the stringent requirements that organizations must meet to achieve certification.
As large organizations like Conde Nast, Adobe and Netflix go all-in on their cloud strategies, they bring with them the legacy compliance efforts that burdened their in-house data center operations.
They instantly gain efficiencies by dropping the lower-level certification efforts and exchanging them for the pre-certified and approved operation of their new cloud service provider. Customers can request, for example, many of AWS’s certification reports to reduce their certification burden. Organizations can then focus on the relevant certification criteria specific to their application infrastructure, what’s running in the cloud environment, minimizing the number of security controls they must pass. While this does not absolve the cloud savvy business, it cuts down the overall process by nearly half when the auditors finally do arrive.
As we look to the future, we know that there will be creative paths these cloud service providers will follow in order to capture compliance-hungry customers. One great way this will be achieved is by providing pre-certified templates from which you can launch your application stacks.
Want to run a java application server like Tomcat? No problem; select the appropriate template from the secure workloads marketplace, and in no time your application stack will be up and running, serving your code. These environments will be pre-configured with a number of strong and adaptable security controls, including continuous monitoring and continuous security solutions. If the audit firms get progressive enough, you may even inherit automatic compliance attestation by leveraging the powerful pre-validated templates provided by the provider/auditor/customer.
These pre-compliant environments will be available in geographic contexts, but also likely in verticals to accommodate the strict regulations inherited by financial services organizations, educational institutions, legal firms and even federal compute environments containing sensitive or classified data.
When it comes time for your CIO to pick the right cloud environment, maybe it’s no longer a choice between “AWS and Azure” but, rather, “Providers that offer me PCI DSS 3.0 compliant hosting solutions for my new credit card rewards website.” This empowering capability will create a low-friction path for software creators to rapidly prototype and certify services to operate in compliant spaces, disrupting sacred ground that traditionally required significant capital and labor investment to step upon.
In a world where servers are servers, and bits are bits, the King of Clouds will be the one that enables the greatest disruption. Clearly, that King will wield security as the weapon of choice.
Tim Prendergast is founder and CEO of Evident.io. With well over two decades of experience pushing the limits of technology, Tim created Evident.io as the first security company focused solely on programmatic infrastructures (cloud). Tim’s prior experience includes leading technology teams at Adobe, Ingenuity, Ticketmaster and McAfee. He holds over 15 years’ security experience, including eight in AWS security experience and three years in the Adobe AWS infrastructure from inception to production. Follow Tim on LinkedIn and Twitter.