Over on the Alert Logic blog the question is asked: “Is Data Safer on Premise or in the Cloud?”. Unfortunately there is no simple yes or no answer. The only answer to this question is it depends. The point of the Alert Logic post, however, is not to convince you to move all of your infrastructure into the cloud but rather to convince you to use Alert Logic’s SaaS application which is conveniently located where….you guessed it, in their datacenter.

Alert Logic mentions the SAS 70 Type II audit standard that, based on the few that I have reviewed, are very subjective and a tad fluffy when it comes to how the results are measured. But hey, clouds are supposed to be light and fluffy right? I like the idea of SAS 70 audits more than I actually like the results generated by them. I’m not saying you should completely disregard a SAS 70 Type II audit when a vendor hands it to you but rather use it as a springboard for deeper questions about the company background, monitoring practices, information and communication systems, and how the results of the testing were generated (and can they be reproduced).

The title of the Alert Logic blog post was what initially made me open it up in my RSS reader. I was a little disappointed that it was more of a product pitch than a debate on cloud vs. premise. When I say that the answer to that question is it depends…well, it does. The average small to medium business typically does not have the capital, or experienced personnel, to implement a true security management program AND implement/maintain the required technical controls to enforce the policy. This is where cloud security has the opportunity to shine.

Positioning moving your datacenter to the cloud under the guise of “increased security” won’t fly with me until someone can take my hand and walk me down to the proposed new home for my datacenter. I want to see, with my own eyes, the network, host, physical, and operational security capabilities, policies, and procedures that my service provider will follow. That might ease my mind but it will certainly take a lot of convincing to make me believe that you can meet the following equation:

(cloud solution security + cost savings) > (my current security)

Justin Foster posted an interesting article entitled “Defense in the Deep End” where he talks about what technical controls he would use, and where he would put them, if he had an unlimited budget. Although I agree with most of his selections, his chart can be seen here, there are a few areas that I would continue to invest in:

1. Anti-phishing, URL filtering, and Threat Protection – Let’s bundle this all up into a category called Anti-malware. If I had an unlimited budget, why wouldn’t I consider installing these technologies on my workstations, laptops, AND servers? How often do admins connect directly to the Internet from a server to patch their systems, install troubleshooting applications, and the like? Why not add an extra layer of protection for your servers?
2. Hard Drive Encryption – Let’s encrypt hard drives on laptops, as they’re mobile, but let’s also encrypt hard drives on the workstations that also work with sensitive information and on the servers that actually store the sensitive information. I won’t even get started on phones and handsets.
3. VPN – In the next couple of years, more and more people will need to be able to connect to the business to perform quick tasks (i.e. check email, submit time sheet, etc.). These are tasks that can easily be performed from a public terminal using an SSL-enabled VPN solution. Also, perimeter VPN solutions aren’t going away anytime soon (I’m going to choose to believe you just forgot to put a check mark in that box 😉 ).
4. DLP – Why not deploy an inline DLP solution to guard against third-party network-based device DLP ‘attacks’? Put something inline on the network to watch the traffic as it flows out to the Internet?
5. System/Application Log Forwarding (To SI/EM) – Don’t forget to send the logs from your network-based devices, such as firewalls, routers, switches, *IDS/*IPS, proxy, and toasters, to your SIEM/LM device. Correlation is key!
6. File Integrity Monitoring – Yes, servers need to be monitored for changes, but what about laptops/workstations? Wouldn’t you want to be alerted when a registry key is changed at 3am?

All things considered, Justin put a good list forward.

For anyone who has worked in a “front line” customer facing telephone support role, the answer is almost always am emphatic “YES”. I tend to agree with my colleagues for one simple reason – embitterment helps you succeed.

Why do I think IT folks need to have a sprinkle of bitterness be in this field? The fact is that IT, like roadkill removal, is truly a thankless job. Sure, guidance counselors, parents, and the media will all tell you that “Computers are the way to go” for a good salary, benefits, and career advancement. The problem with that mentality is that it’s not the mid-1980’s anymore. More and more jobs are being moved to parts of the world where wages are lower and, to be perfectly frank, people are willing to do the crappy jobs that North Americans think are beneath them.

To be clear, I’m not saying that working in IT is the hardest, or worst, job around. IT workers are taken for granted, much like the aforementioned roadkill removal worker. Most people enjoy driving to work on a road free from dead animals. When an animal gets run over and left for dead, the roadkill removal person is dispatched to “dispose” of the remains. When was the last time you sent a “thank you” card to your roadkill removal person? To that end, when was the last time you sent a “thank you” card to a member of your IT department? Show of hands?

Now let’s jump back to my original topic with a metaphor: an IT career is like a human body and, in order for your career to live a long and healthy life, you need a nice thick layer of skin to protect you from infection. The “infection” in this metaphor referrers to the emotional challenges that every IT professional experiences during their career. In order for IT personnel to adequately quote with the critical thinking required to overcome most IT related challenges, a “thick skin” is a requirement — one that I believe should show up on most job postings.

Working on the front lines of an IT organization let’s you experience what it’s like to sympathize, and empathize, with those who are having the problems. It lets you develop valuable customer service and communications skills while you work towards making the customer happy. Along the way you’ll have numerous bad experiences which will serve as lessons that you can use to make yourself a better person.

No matter what role you hold within an organization, you have customers to answer to. This is something that working the front lines forces you to remember. Good or bad, working in the trenches teaches you valuable life lessons that will only help you grow as an IT professional.