The old days of securing information by erecting virtual barbed-wire fences are over. In the modern era of cloud computing, security aspects have to be incorporated into software applications from the ground floor to ensure safety, according to a Wednesday afternoon panel at the Structure 2011 conference in San Francisco.
“When we used to think about security, we used to think about firewalls and access control lists, these moats and fences we put up between users and our applications,” said the panel’s moderator, Facebook Technical Operations VP Jonathan Heiliger. “Today’s technology has changed a lot. Now we use passive analysis tools, we do code audits, we try to teach engineers how to write more secure code.”
That’s largely because risks are different today than they used to be. “Threats are no longer coming from the Internet into the enterprise,” Heiliger said. “They’re coming from partners, from employees, from customers, people who can all deliberately or unintentionally cause harm.”
The members of the panel — Netflix (s NFLX) Software Architect Sid Anand, Comcast (s CMCSA) Lead Operations Platform Architect Jacob Rosenberg, LinkedIn (s LNKD) Engineering VP Kevin Scott, and Salesforce (s CRM) Global CIO Claus Moldt — all agreed.
“The model which has existed around security is increasingly defunct,” Comcast’s Rosenberg said. Contrary to some commonly held beliefs, he said, whether an application is hosted in the cloud or on a native server is practically moot. “It’s really important to analyze the behavior and sensitivities of the data, and to understand how that works, rather than to focus as much on [if it is] inside our network or is it in the cloud.”
But Salesforce’s Moldt pointed out that security is not entirely up to tech companies — customers have to also play a part in keeping themselves safe. “It’s also how we as cloud providers are educating our users, because in my mind it’s a shared responsibility. We can build a lot of security aspects into the services that we provide. If you do not take it seriously as the users of the infrastructure… you may be at a loss.”