This is part one of a two part interview with Yousuf Kahn.
I recently had the chance to sit down with Hult International Business School CIO Yousuf Kahn to get his take on cloud IT security. Hult has five campuses across the globe and has been recognized by Apple as a Standout School for their mobile initiatives to enhance and extend the classroom with iPads and Apps.
Can you briefly describe your organization’s cloud environment?
A lot of our applications are fundamentally cloud based. On the academic side, we use Canvas for our LMS (Learning Management System); Microsoft Live@edu for email.; SkyDrive for file storage and sharing; This will soon upgrade to Office365 which will bring a rich feature set around instant messaging and document collaboration; and using cloud based social media and web services for some of our applications. We are big fans of Yammer which should be interesting to see develop following their acquisition by Microsoft. So we’re quite bullish in respect to the cloud for providing a more robust and fault tolerant operating infrastructure. If an application is not in the cloud, then it will be soon. We are starting to put a program in place to put any remaining legacy apps in the cloud. We only have one app that will remain in our own data center, and that’s for purely legal and fiduciary reasons for now. We’re currently looking at our development environment being moved to the cloud which would remove an inefficient process of having to provision servers internally.
What assurances have your cloud providers given you that your data is protected?
People will give you a lot of assurances, but the onus is on the buyer to check those out. I didn’t really focus on vendors’ assurances as much I did on my own research to verify the security of cloud providers.
The key thing is asking, “What’s the criticality of your application, and have I done my homework when considering moving it to the cloud?” Microsoft Azure, Rackspace, Amazon, Google and the likes are no doubt considered safe and reliable—there’s not massive levels of risk in taking them on for standard applications and that is a trend I am seeing. However some have had outages or security breaches in the past as well- does that mean companies will pull out from them? I doubt that very much. You need to build an expectation for an outage but a very minimal one, because no matter which provider you use, there’s an outside chance it’s going to happen. You have to develop a good backup plan and operationally know how you will react.
It’s really just doing a good level of due diligence. Talk to IT professionals and explore your network in general—there’s a lot of knowledge generated from your peers.
What concerns do you have about emerging cloud security threats?
That depends very much on what you are trying to achieve when moving to the cloud. Robustness? Scalability? Cost reduction? Risk? The reality is that, as many people that are out there who are trying to break into systems, you have equal in number and more talented people trying to make sure those systems become foolproof. That’s just going to continue. Things are becoming more secure because they have to be more out of prudence and business logic as more and more data about us is moved online. I’m not exceptionally or more worried than usual because you can only go so far in putting in measures to make sure your applications and systems are secure.
Security breaches are more on the margins as barriers are put in place at the physical layer of the network as well as at the application level. Whilst I don’t lose sleep over security issues like that I certainly stay vigilant and don’t take anything for granted. If I have a worry it is about data loss and leakage as a result of security threats and want to ensure we have taken all measures necessary to mitigate that risk.
In the second part of my interview with Yousuf, we’ll find out what he’s doing to shore up cloud IT security in light of emerging threats and we’ll hear his list of best practices for cloud application security.