By George V. Hulme

Cloud computing represents a tectonic shift for CIOs and their IT organizations. But with every change in the foundation of IT comes a degree of risk, and cloud computing is no exception. Fortunately, new tools, approaches and best practices are emerging that can help CIOs keep their cloud computing projects safe and secure.

Security is a top issue for cloud computing. A recent CIO.com survey found that 51 percent of CIOs say security is their top cloud computing concern, up from 45 percent the year before. More specifically, two cloud issues present challenges for IT leaders: losing control over data, and losing the transparency into IT management processes and technologies necessary for regulatory compliance.

Cloud technology also presents CIOs with a new set of questions: How will network, applications and system changes be managed in the cloud? How will data be secured? Where will that data be physically stored? What processes will be in place to ensure that regulated information is maintained within regulatory mandates?

These security and regulatory concerns, as well as the need for transparent and auditable controls, are leading CIOs to ensure that they are taking the right approach to cloud services for their organizations. They're also leading CIOs to adopt the best tools, processes and even best cloud delivery model for their specific business needs. (See sidebar, "Three Levels of Cloud Security," at right.)

Many CIOs are opting to either build their own internal private clouds or outsource private cloud operations to managed services providers. "There's increasing evidence showing that Fortune 500 organizations are interested in external or public clouds as a way to manage less-critical systems and data not covered by regulatory mandates," says Chris Rae, EMEA Director at CA. "For regulated and highly confidential data, they're going to choose some variation of a private cloud model."

Many CIOs find that securing cloud systems does not involve a profound shift. Companies already understand how to secure data centers, manage service level agreements (SLAs) and security obligations with system integrators, and keep a firm grasp on managing virtual machines. As a result, says Rae, "The move to private cloud services mainly changes the IT discussion. We're moving to engage with the business and deliver IT as a service that is metered and charged to the business units on an as-consumed basis."

Also, in the cloud, basic IT security practices still apply. The same best practices and security technologies that protect older systems can also ensure that cloud systems remain sustainable, secure and compliant. "CIOs need the ability to manage and control identities," says Bill Mann, Senior VP of Security Business at CA. "They also need system and configuration management, log management, application management and network management."

If anything, those disciplines become even more crucial in cloud environments, Mann says. That's because cloud services are so heavily virtualized. Consider, for example, privileged user accounts, needed for managing databases, servers and other critical IT systems. These accounts become potentially much more vulnerable in a cloud environment, Mann says, because there are so many virtual machines per physical server. "One administrator could log in and copy a database or entire virtual machine, install malicious code to monitor traffic across those virtual machines, or do virtually whatever they wish to do," he adds.

Part 1 – Getting Started With Cloud Computing

Part 2 – Higher Altitudes for Cloud Computing