In either a private or a public cloud, they need applications to behave a certain way. Unfortunately, it's not always possible to move legacy. A workaround that will require change over a long period, said Stern, is if they put what they can in their private or public cloud until they are able to examine which ones are worth rewriting.
Before making the move to the cloud, Alex Hamerstone, GRC practice lead at TrustedSec, said, "Settle on a definition of what the cloud is. It’s really just someone else’s computer. A computer that’s not yours. You should know why you are you moving to the cloud. What are the advantages? Is it cost or that it is easier to maintain?"
While cost is often cited as a reason for making the move to the cloud, for larger enterprises the cost of protecting all of their users can actually increase.
Gunter Ollmann, CSO at Vectra Networks, said, "Instead of buying hardware and appliances with a three-to-five-year depreciation lifecycle, they are buying a service. They are now paying, typically, based around number of servers or users being protected. Their security spend can change drastically in Capex and Opex."
For example, if they want to firewall their organization today, they could buy a $15,000 firewall and deploy it. "They don’t care about how many users they have in their environment. When you shift to cloud, firewall spend will be based on the number of users using the cloud. The number of users protected will change the cost considerably," Ollmann said.
Contracts are extremely important, and they should understand the service-level agreement and be aware of any financial considerations for whether the provider fails to meet the SLA. "Someone once told me, it doesn’t matter who’s liable it matters whois collectable," Hamerstone said.
Where is the data located?
Enterprises also should be asking exactly where--physically--their data is going to be located. "That can affect your regulatory requirements. It's definitely a red flag if the providers don’t know. They should have assurance that it's in a certain facility or area," said Hamerstone.
More providers are able to give those assurances as data centers are being erected across the globe in different areas to provide cloud services because laws and regulations are complex. "EU countries don’t want their data leaving the EU, so it is easier to set up a data center in the EU," said Hamerstone.
An established provider, said Hamerstone, has already addressed the security questions that worried security practitioners a few years ago. "They will be able to tell you what types of security controls they have in place. Ask them if you are being hosted on your own instance so that you're not hosted in the same cloud as three other companies. That way, you can’t access someone else's data and they can’t access yours."
Sign up for CIO Asia eNewsletters.